Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in SurrealDB that could allow an authenticated user to escalate privileges. The issue arises from how the system handles specially crafted table and field names during data export, which can lead to the execution of unauthorized commands when imported by a higher-privileged user. This could result in a full takeover of the database instance.
- Unauthenticated users can gain elevated privileges.
- Impacts systems allowing custom table or field names.
- Confirm relevance and potential exposure to the database.
Attack Path
How an attacker could exploit the issue
An attacker with OWNER or EDITOR privileges in SurrealDB could craft malicious table or field names containing SurrealQL. When a more privileged user imports a backup containing these specially crafted names, the injected SurrealQL executes, potentially leading to a complete takeover of the database. This attack also affects applications allowing custom table or field definitions if they are not properly handling user input during export and import processes.
- Authenticated user with specific roles required.
- Malicious export/import of tables or fields.
- Privilege escalation and instance takeover.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an authenticated user with specific roles to inject malicious commands into SurrealDB through specially crafted table or field names during the export process. When a higher-privileged user later imports this exported data, the injected commands could execute, potentially leading to unauthorized control of the database instance. Applications allowing users to define custom tables or fields are also at risk of this injection.
- System data and service behavior at risk.
- Malicious names in exported data.
- Potential for privilege escalation and takeover.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability impacts SurrealDB instances where users can define custom tables or fields. The primary concern lies with applications allowing user-defined schemas, as these could be manipulated by authenticated users with OWNER or EDITOR roles. The initial practical step is to identify all SurrealDB instances, confirm their accessibility and business criticality, and then locate the application owners or platform teams responsible for managing these databases to initiate a risk-based remediation plan.
- Identify SurrealDB instances and owners.
- Verify user-defined table/field export/import.
- Plan coordinated remediation with platform teams.