GHSA-58j9-j2fj-v8f4: 
Rust vulnerability analysis and mitigation

SurrealDB versions prior to 1.1.0 contain a high-severity vulnerability (GHSA-58j9-j2fj-v8f4) in its WebSocket interface. The vulnerability stems from the dependency on tungstenite and tokio-tungstenite crates used by the axum crate for handling WebSocket connections. The issue was discovered and disclosed in January 2024, affecting the HTTP header parsing during client handshake, which could lead to continuous high CPU consumption when processing very long headers (GitHub Advisory).

The vulnerability exists in the tungstenite crate versions before 0.20.1, where the parsing of HTTP headers during the client handshake could continuously consume high CPU when processing exceptionally long headers. The issue affects both the frequency of parse attempts (thousands of times) and the volume of data processed in each attempt (millions of bytes). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with no required privileges or user interaction (NIST NVD, RustSec).

A remote unauthenticated attacker can cause a SurrealDB server exposing its WebSocket interface to consume high CPU resources by sending an HTTP request with a very long header to the WebSocket interface. This can potentially lead to a denial of service condition, affecting the server's availability and performance (GitHub Advisory).

The primary mitigation is to upgrade to SurrealDB version 1.1.0 or later, which includes the patched version of the tungstenite crate. For users unable to update immediately, alternative workarounds include limiting access to the WebSocket interface via a reverse proxy if it's not in use or only used by trusted clients. Additionally, implementing a reverse proxy to strip or truncate request headers exceeding a reasonable length before reaching the SurrealDB server can help mitigate the vulnerability (GitHub Advisory).