CVE-2025-11060: 
Rust vulnerability analysis and mitigation

A vulnerability (CVE-2025-11060) was discovered in SurrealDB's live query subscription mechanism. The flaw was found in the database engine where record or guest users could observe unauthorized records within the same table, bypassing access controls, through crafted LIVE SELECT subscriptions when other users alter or delete records. The vulnerability was disclosed on September 11, 2025, affecting versions prior to 2.1.9, 2.2.8, 2.3.8, and 3.0.0-alpha.7 (GitHub Advisory, NVD).

The vulnerability stems from improper handling of document reduction in LIVE SELECT statements, which are used to capture real-time changes to data within a table. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead, the leaked documents reflected the context of the user triggering the notification. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N (Red Hat).

The vulnerability allows record or guest users with permissions to run live query subscriptions on a table to observe unauthorized records within the same table. Unauthorized records are exposed when they are deleted, or when records matching the WHERE conditions are created, updated, or deleted by another user. The impact is limited to confidentiality breaches within tables the attacker has access to, with data disclosure dependent on actions taken by other users (GitHub Advisory).

Patches have been released in versions 2.1.9, 2.2.8, and 2.3.8. For version 3.x, the fix will be included in the first release following v3.0.0-alpha.7. As a workaround, administrators should assess the impact of users with permissions on table records effectively having full read access to the table and consider using separate tables if required, though this may impact functionality (GitHub Advisory).