GHSA-7vm2-j586-vcvc: 
Rust Analisi e mitigazione delle vulnerabilità

SurrealDB versions prior to 2.3.8, 2.2.8, 2.1.9, and 3.0.0-alpha.7 contain a vulnerability in LIVE SELECT statements that allows unauthorized data exposure. The vulnerability (GHSA-7vm2-j586-vcvc) was discovered and disclosed on September 11, 2025, affecting the core functionality of real-time data capture within tables (GitHub Advisory).

The vulnerability stems from improper reduction of documents included in WHERE conditions and DELETE notifications during LIVE SELECT operations. Instead of respecting the querying user's security context, the leaked documents reflect the context of the user triggering the notification. The vulnerability has a CVSS v4 score of 6.9 (Moderate), with attack vector being Network, attack complexity Low, privileges required Low, and user interaction Passive (GitHub Advisory).

The vulnerability allows a record or guest user with permissions to run live query subscriptions on a table to observe unauthorized records within the same table. Unauthorized records are exposed when they are deleted, or when records matching the WHERE conditions are created, updated, or deleted by another user. The impact is limited to confidentiality breaches within tables the attacker has access to, with the extent of data disclosure depending on other users' actions (GitHub Advisory).

The vulnerability has been patched in versions 2.1.9, 2.2.8, and 2.3.8. Users are advised to upgrade to these patched versions. For those unable to upgrade immediately, the recommended workaround is to assess the impact of users with permissions on table records effectively having full read access to the table and consider using separate tables if required, though this may impact functionality (GitHub Advisory).