SurrealDB has Denial of Service in JSON parser due to nested objects
📋 Description
The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested {, [, or ( tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket /rpc endpoint and exhaust server memory, crashing the process.
This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.
Impact
An unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.
Patches
A patch enforces the configured recursion depth limit in parse_value and parse_json, bringing them in line with the rest of the parser.
- Versions 3.1.0 and later are not affected by this issue.
Workarounds
Restrict network access to the WebSocket /rpc endpoint to trusted clients.
🎯 Affected products1
- rust/surrealdb:< 3.1.0