Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/514785?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/514785?format=api", "purl": "pkg:cargo/surrealdb@3.0.0-alpha.8", "type": "cargo", "namespace": "", "name": "surrealdb", "version": "3.0.0-alpha.8", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.0.0-beta.3", "latest_non_vulnerable_version": "3.0.0-beta.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90513?format=api", "vulnerability_id": "VCID-fgrp-7st2-2uhk", "summary": "SurrealDB vulnerable to Denial of Service through scripting function memory edge case\nIn SurrealDB instances with the scripting capability enabled (`--allow-scripting`), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.\n\nThe query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.\n\nWhilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (`--allow-guests`), is enabled, then guests can perform this attack.\n\n### Impact\n\nAny user able to execute queries on a SurrealDB instance with scripting enabled (`--allow-scripting`) can cause complete denial of service. The server process terminates immediately without graceful shutdown.\n\nThe underlying cause of the vulnerability is a null pointer dereference in the `QuickJS-NG` v0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data. \n\n### Patches\n\nVersions prior to SurrealDB `v2.6.1` and `v3.0.0-beta.3` are vulnerable.\n\nThe patches for SurrealDB `v2.6.1` and `v3.0.0-beta.3` update the `rquickjs` dependency from `v0.9.0` to `v0.11.0`, which in turn uses an updated version of `QuickJS-NG`.\n\n### Workarounds\nDeny execution of embedded scripting functions through the configuration of [capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#capabilities) by starting SurrealDB with the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`. This has a usability implication, although scripting functions are disabled by default.\n\nAdministrators can also use `--deny-arbitrary-query` to deny arbitrary querying by either `guest`, `record` or `system` users, or a combination of those, with impacts to functionality for those users. \n\n### Links ###\n[SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities)\n[SurrealDB Documentation - Guest Access](https://surrealdb.com/docs/surrealdb/security/capabilities#guest-access)\n[SurrealQL Documentation - Scripting Functions](https://surrealdb.com/docs/surrealql/functions/script)\n[quickjs-ng v0.9 Release Notes](https://github.com/quickjs-ng/quickjs/releases/tag/v0.9.0)\nhttps://github.com/surrealdb/surrealdb/pull/6833\nhttps://github.com/surrealdb/surrealdb/pull/6774", "references": [ { "reference_url": "https://github.com/surrealdb/surrealdb", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/surrealdb/surrealdb" }, { "reference_url": "https://github.com/surrealdb/surrealdb/commit/2b0389b92398d9ecff4632cd51bbf8303832a988", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/surrealdb/surrealdb/commit/2b0389b92398d9ecff4632cd51bbf8303832a988" }, { "reference_url": "https://github.com/surrealdb/surrealdb/commit/bcd2ece9ef0d721215f06a47280698669f332285", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/surrealdb/surrealdb/commit/bcd2ece9ef0d721215f06a47280698669f332285" }, { "reference_url": "https://github.com/surrealdb/surrealdb/pull/6774", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/surrealdb/surrealdb/pull/6774" }, { "reference_url": "https://github.com/surrealdb/surrealdb/pull/6833", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/surrealdb/surrealdb/pull/6833" }, { "reference_url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-xx7m-69ff-9crp", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-xx7m-69ff-9crp" }, { "reference_url": "https://github.com/advisories/GHSA-xx7m-69ff-9crp", "reference_id": "GHSA-xx7m-69ff-9crp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xx7m-69ff-9crp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/514677?format=api", "purl": "pkg:cargo/surrealdb@3.0.0-beta.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:cargo/surrealdb@3.0.0-beta.3" } ], "aliases": [ "GHSA-xx7m-69ff-9crp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fgrp-7st2-2uhk" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:cargo/surrealdb@3.0.0-alpha.8" }