GHSA-wjjj-24cx-f28gHighCVSS 7.5Disclosed before NVD

SurrealDB has unauthenticated remote DoS via malformed RPC `use` call

Published
July 1, 2026
Last Modified
July 1, 2026

📋 Description

A single unauthenticated WebSocket message to /rpc crashed the SurrealDB server. Sending use { db: "x" } without first selecting a namespace hit .expect("namespace should be set") in the use handler; because surrealdb-core is built with panic = 'abort', the panic terminated the process. use is callable before signin, and the per-method capability check passes by default for guest callers — so no credentials, token, or --allow-guests flag are required.

Impact

An unauthenticated remote attacker who could reach the /rpc endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.

Patches

A patch has been introduced that returns a typed invalid_params response when db is set on a session with no ns, replacing the panic.

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Affected users who are unable to update should restrict network access to the /rpc endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.

🎯 Affected products1

  • rust/surrealdb:< 3.1.0

🔗 References (3)