PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71392 surrealdb CVE debrief

CVE-2025-71392 is a critical vulnerability in SurrealDB, allowing authenticated users to inject malicious SurrealQL code via the command-line export command. This issue affects SurrealDB versions before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2. The vulnerability enables privilege escalation and potential root-level takeover of the SurrealDB instance. Users of SurrealDB, especially those with custom tables or fields, should be aware of this vulnerability and take immediate action to protect their instances.

Vendor
surrealdb
Product
Unknown
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of SurrealDB, especially those with custom tables or fields, should be aware of this vulnerability and take immediate action to protect their instances. This includes updating SurrealDB to a secure version, restricting access to the command-line export command, and monitoring for suspicious activity. Security teams and operators should review the official advisory and assess their exposure to this vulnerability.

Technical summary

The vulnerability arises from SurrealDB's failure to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create maliciously named tables or fields containing SurrealQL. When a higher-privileged user imports the exported backup, the injected SurrealQL executes, enabling privilege escalation and potential root-level takeover of the SurrealDB instance. Applications that let users define custom tables or fields are also exposed to a universal second-order SurrealQL injection even when query parameters are sanitized.

Defensive priority

High

Recommended defensive actions

  • Update SurrealDB to version 2.0.5 or later, 2.1.5 or later, or 2.2.2 or later.
  • Restrict access to the command-line export command.
  • Monitor for suspicious activity and implement compensating controls.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-18T14:17:10.580Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability affects SurrealDB versions before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2. Users should review the official advisory for more information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:10.580Z and has not been modified since then.