PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71393 surrealdb CVE debrief

CVE-2025-71393 is a medium-severity vulnerability in SurrealDB before version 2.2.2. The vulnerability occurs when scripting is enabled and native functions contain embedded JavaScript that issues new queries, allowing authenticated attackers to bypass recursion limits and trigger infinite recursion, leading to memory exhaustion. This can have significant operational impacts on systems using affected versions of SurrealDB, particularly in terms of performance and stability. Users of SurrealDB version prior to 2.2.2 should be aware of this vulnerability and take steps to mitigate it, especially if scripting is enabled. The vulnerability has been documented in the CVE record and NVD entry, which provide further details on the affected products and potential mitigations.

Vendor
surrealdb
Product
Unknown
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of SurrealDB version prior to 2.2.2 should be aware of this vulnerability and take steps to mitigate it, especially if scripting is enabled. This includes administrators, developers, and security teams responsible for maintaining and securing SurrealDB deployments. Additionally, operators and platform teams may need to review the vulnerability and its potential impact on their systems and applications. Vulnerability management and security teams should prioritize updating SurrealDB to version 2.2.2 or later and implement additional security measures to prevent authenticated attackers from exploiting the vulnerability.

Technical summary

The vulnerability is caused by SurrealDB's failure to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. This allows authenticated attackers to bypass the recursion limit by chaining native and JavaScript function calls, triggering infinite recursion and exhausting server memory. The vulnerability is particularly concerning because it can be exploited by authenticated attackers, which may have a higher likelihood of success compared to unauthenticated attacks. To mitigate this vulnerability, users should update SurrealDB to version 2.2.2 or later, disable scripting if not required, and monitor server memory usage for unusual patterns.

Defensive priority

Medium priority should be given to updating SurrealDB to version 2.2.2 or later, especially if scripting is enabled. Additional security measures should be implemented to prevent authenticated attackers from exploiting the vulnerability, and server memory usage should be closely monitored for unusual patterns.

Recommended defensive actions

  • Update SurrealDB to version 2.2.2 or later
  • Disable scripting if not required
  • Monitor server memory usage for unusual patterns
  • Implement additional security measures to prevent authenticated attackers from exploiting the vulnerability
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-18T14:17:10.703Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the provided source corpus and may not reflect the current status of the vulnerability. Users should verify the information with the official CVE record and NVD entry for the most up-to-date details. The vulnerability affects SurrealDB before version 2.2.2, and it is recommended to update to the latest version to mitigate the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:10.703Z and has not been modified since then. The NVD entry is currently in the 'Received' status.