PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-58359 surrealdb CVE debrief

A denial of service vulnerability exists in SurrealDB versions before 2.1.0. The vulnerability is triggered when using the ORDER BY rand() clause, which can cause a panic in the sorting function, resulting in a server crash. This issue can be exploited by authorized clients executing specific queries. The vulnerability has a CVSS score of 7.1 and is rated as HIGH. Users of SurrealDB versions before 2.1.0 should be aware of this vulnerability and take necessary precautions to prevent exploitation.

Vendor
surrealdb
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of SurrealDB versions before 2.1.0, operators, platform administrators, vulnerability management teams, and security teams should be aware of this vulnerability and take necessary precautions to prevent exploitation.

Technical summary

The vulnerability is caused by a flaw in the sorting mechanism of SurrealDB when using the ORDER BY rand() clause. This can lead to a panic in the sorting function, causing the server to crash. The issue is rated as HIGH with a CVSS score of 7.1. The vulnerability affects SurrealDB versions before 2.1.0. Authorized clients can execute queries with ORDER BY rand() to trigger a panic in the sorting function.

Defensive priority

High priority should be given to updating SurrealDB to version 2.1.0 or later. In the meantime, restricting access to authorized clients and monitoring server activity can help mitigate the risk.

Recommended defensive actions

  • Update SurrealDB to version 2.1.0 or later
  • Restrict access to authorized clients
  • Monitor server activity for suspicious queries
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-18T14:17:08.780Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the provided source corpus. Further verification is recommended to confirm the accuracy of this information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:08.780Z and has not been modified since then. The NVD entry is currently in the 'Received' status.