GHSA-q8qp-67f9-wr3fMediumCVSS 6.5Disclosed before NVD

SurrealDB vulnerable to Denial of Service due to nested types annotations

Published
July 1, 2026
Last Modified
July 1, 2026

📋 Description

The SurrealDB type/kind parser did not enforce the configured recursion depth limit when parsing nested type annotations. The expression parser already enforced the limit for analogous constructs; the kind parser omitted it. An authenticated attacker could send a query with deeply nested type annotations (e.g., array<option<array<option<...>>>>) and exhaust server memory, crashing the process.

This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the kind/type annotation parser code path.

Impact

An authenticated user with query execution privileges can crash a SurrealDB server with a single WebSocket message containing deeply nested type annotations.

Patches

A patch has been introduced that wraps parse_concrete_kind and the OPTION<...> arm of parse_inner_kind with enter_object_recursion!, bounding the recursive cycle parse_concrete_kind → parse_inner_kind → parse_inner_single_kind → parse_concrete_kind at the configured object_recursion_limit (default 100). Regression tests cover both cast and DEFINE FIELD paths.

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Restrict the ability of untrusted users to execute arbitrary queries via the --deny-arbitrary-query capability flag for the affected user classes (guest, record, or system). Disabling untrusted access to the WebSocket /rpc endpoint also prevents exploitation; the HTTP /sql endpoint's 1 MiB body limit constrains nesting to a depth where OOM is not feasible.

🎯 Affected products1

  • rust/surrealdb:< 3.1.0

🔗 References (3)