The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested {, [, or ( tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket /rpc endpoint and exhaust server memory, crashing the process.
This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.
Impact
An unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.
Patches
A patch enforces the configured recursion depth limit in parse_value and parse_json, bringing them in line with the rest of the parser.
- Versions 3.1.0 and later are not affected by this issue.
Workarounds
Restrict network access to the WebSocket /rpc endpoint to trusted clients.
References
The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested
{,[, or(tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket/rpcendpoint and exhaust server memory, crashing the process.This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.
Impact
An unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.
Patches
A patch enforces the configured recursion depth limit in
parse_valueandparse_json, bringing them in line with the rest of the parser.Workarounds
Restrict network access to the WebSocket
/rpcendpoint to trusted clients.References