PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-58357 surrealdb CVE debrief

CVE-2024-58357 is an uncaught exception vulnerability in SurrealDB versions before 2.1.0. The vulnerability exists in the rand::time() function, which panics when unwrap is called on a None result from timestamp_opt. Authorized clients can repeatedly invoke rand::time() to reliably trigger server panics and cause denial of service. The CVSS score for this vulnerability is 7.1, indicating a high severity. Users of SurrealDB versions before 2.1.0 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 2.1.0 or later, and implementing defensive measures such as monitoring for unusual activity and restricting access to the rand::time() function.

Vendor
surrealdb
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of SurrealDB versions before 2.1.0, operators, platform administrators, vulnerability management teams, and security teams should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the rand::time() function in SurrealDB versions before 2.1.0. The function panics when unwrap is called on a None result from timestamp_opt, causing a denial of service. Authorized clients can repeatedly invoke rand::time() to reliably trigger server panics. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. Affected product deployments should be reviewed for exposure, and compensating controls should be implemented while remediation is scheduled.

Defensive priority

Highest priority should be given to upgrading to SurrealDB version 2.1.0 or later. Additional defensive measures include monitoring for unusual activity, restricting access to the rand::time() function, and implementing compensating controls such as rate limiting and IP blocking. Asset inventory and source tracking should also be reviewed to ensure that all affected systems are accounted for and that the vulnerability is properly mitigated. Rollback/change windows should be considered to minimize downtime during remediation. Exposure review and compensating controls should be implemented to minimize the impact of the vulnerability. Monitoring and detection should be reviewed to ensure that potential attacks are detected and responded to promptly. Vendor patch guidance should be followed to ensure that the vulnerability is properly patched. Security teams should track exceptions and retest remediated assets to ensure that the vulnerability is properly mitigated and that no false positives or negatives exist. The following recommended actions should be taken: Upgrade to SurrealDB version 2.1.0 or later, Monitor for unusual activity, Restrict access to the rand::time() function, Implement compensating controls such as rate limiting, Review asset inventory and source tracking, Implement exposure review and compensating controls, Review monitoring and detection, Follow vendor patch guidance, and Track exceptions and retest remediated assets. Additionally, consider implementing a rollback/change window to minimize downtime during remediation, and review security team procedures to ensure that they are prepared to respond to potential attacks. Compensating controls such as IP blocking and rate limiting should be implemented to minimize the impact of the vulnerability. Source tracking should be reviewed to ensure that all affected systems are accounted for and that the vulnerability is properly mitigated. Defenders should verify the affected scope, severity, and vendor guidance to ensure that they are properly prepared to respond to potential attacks. The rand::time() function should be reviewed to ensure that it is properly secured and that access to it is restricted.

Recommended defensive actions

  • Upgrade to SurrealDB version 2.1.0 or later
  • Monitor for unusual activity
  • Restrict access to the rand::time() function
  • Implement compensating controls such as rate limiting
  • Review asset inventory and source tracking
  • Implement exposure review and compensating controls
  • Follow vendor patch guidance

Evidence notes

The evidence for this vulnerability comes from the NVD and the vendor's security advisory. The NVD entry for this vulnerability provides a detailed description of the vulnerability and its impact. The vendor's security advisory provides additional information on the vulnerability and recommends upgrading to version 2.1.0 or later. Defenders should verify the affected scope, severity, and vendor guidance. They should also review compensating controls for exposed systems while remediation is scheduled and verified.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:08.503Z and has not been modified since then.