Advertisement
Security

Critical SurrealDB Injection Flaw Discovered

A critical injection vulnerability in SurrealDB allows authenticated users to achieve privilege escalation and full system takeover via malicious database exports.

··2 hours ago·2 min read
pink and white love you and love me print padlock
Photo by FlyD on Unsplash
Advertisement

SurrealDB has issued a security advisory for a critical vulnerability, tracked as CVE-2025-71392, which stems from improper escaping of table and field names during command-line export operations. This flaw enables an authenticated user with OWNER or EDITOR roles to execute arbitrary SurrealQL commands, potentially leading to a complete root-level takeover of the database instance when a higher-privileged user imports the compromised backup.

What's at Risk

The vulnerability affects SurrealDB versions prior to 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2. Organizations running these versions of SurrealDB are at risk, particularly those that allow end-users to define custom tables or fields, as this exposes the system to a universal second-order injection attack.

Generally, systems that handle administrative tasks like database exports are high-value targets. When an application processes data that has been manipulated by an authenticated user, it can inadvertently execute malicious commands with the authority of the system administrator performing the backup or restore, effectively bypassing intended access controls.

How the Flaw Works

This vulnerability falls under the class of injection flaws, where untrusted input is processed as executable code rather than plain data. In a typical second-order injection scenario, an attacker stores malicious payload within the database itself—in this case, by naming a table or field with crafted SurrealQL syntax. The injection remains dormant until a downstream process, such as an export or import utility, inadvertently executes the stored payload.

When the system fails to properly sanitize or escape these identifiers, the database engine treats the malicious input as a legitimate command. This allows attackers to escalate their privileges, exfiltrate sensitive data, or gain unauthorized control over the underlying infrastructure. Such flaws highlight the necessity of treating all database identifiers as potentially hostile input, regardless of their source.

How to Protect Your Systems

  • Upgrade immediately to SurrealDB version 2.0.5, 2.1.5, 2.2.2, or later to patch the underlying issue.
  • Restrict access to administrative functions like CLI exports to only the most trusted, strictly vetted personnel.
  • Implement the principle of least privilege by auditing user roles and removing OWNER or EDITOR access from accounts that do not explicitly require it.
  • Monitor database system logs for unusual table or field naming conventions that may indicate an attempt to inject malicious syntax.
  • Ensure that your database environment is segmented and that backups are handled within a secure, isolated pipeline to prevent the execution of untrusted exports.

Given the critical severity of this flaw and the potential for total system compromise, immediate action is required. Organizations must prioritize patching their SurrealDB instances to prevent attackers from leveraging this injection vector to escalate privileges and gain persistent, unauthorized access to the database environment.

#surrealdb#vulnerability#cve-2025-71392#injection#privilege-escalation

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement