GHSA-3824-qmfq-2qv7: 
Rust vulnerability analysis and mitigation

SurrealDB (versions < 2.2.2, < 2.0.5, < 2.1.5) contains a vulnerability where JavaScript script functions lack a default timeout setting. This vulnerability was discovered during a code audit and penetration test by cure53 and was assigned a low severity rating. The issue affects SurrealDB servers that explicitly enable scripting capability with --allow-scripting or --allow-all flags, or through equivalent environment variables SURREALCAPSALLOWSCRIPT=true and SURREALCAPSALLOWALL=true (GitHub Advisory).

The vulnerability stems from SurrealDB's advanced function capabilities that allow embedded functions to be written in JavaScript. While these functions are bounded for memory and stack size, they lack time limitations. The vulnerability has been assigned a CVSS v4 score of 2.3 (Low), with attack vector being Network, attack complexity Low, attack requirements Present, privileges required Low, and user interaction None (GitHub Advisory).

An attacker can exploit this vulnerability by using the scripting capabilities of SurrealDB to execute a series of long-running functions, potentially facilitating a Denial of Service (DoS) attack. The impact is limited to availability with no effect on confidentiality or integrity of the system (GitHub Advisory).

Users can mitigate this vulnerability by either upgrading to patched versions (2.0.5, 2.1.5, 2.2.2 or later) or by denying execution of embedded scripting functions through the --deny-scripting flag or SURREALCAPSDENYSCRIPT=true environment variable. The patch implements a default timeout for scripting functions with a configurable SURREALSCRIPTINGMAXTIME_LIMIT environment variable (GitHub Advisory).