SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
📋 Description
A single unauthenticated WebSocket message to /rpc crashed the SurrealDB server. Sending use { db: "x" } without first selecting a namespace hit .expect("namespace should be set") in the use handler; because surrealdb-core is built with panic = 'abort', the panic terminated the process. use is callable before signin, and the per-method capability check passes by default for guest callers — so no credentials, token, or --allow-guests flag are required.
Impact
An unauthenticated remote attacker who could reach the /rpc endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.
Patches
A patch has been introduced that returns a typed invalid_params response when db is set on a session with no ns, replacing the panic.
- Versions 3.1.0 and later are not affected by this issue.
Workarounds
Affected users who are unable to update should restrict network access to the /rpc endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.
🎯 Affected products1
- rust/surrealdb:< 3.1.0