Vulnerability DatabaseGHSA-64f8-pjgr-9wmr

GHSA-64f8-pjgr-9wmr:
Rust vulnerability analysis and mitigation

Overview

A high severity vulnerability (GHSA-64f8-pjgr-9wmr) was discovered in SurrealDB's RPC API affecting versions <1.5.5 and <2.0.0-beta.3 of surrealdb and <1.5.2 of surrealdb-core packages. The vulnerability was disclosed and patched on September 11, 2024. The issue allowed arbitrary object evaluation during sign-in and sign-up operations through the RPC API when using the bincode serialization format (GitHub Advisory).

Technical details

During sign-in and sign-up operations through the SurrealDB RPC API, the system would accept arbitrary objects to support various credential types and structures. When using the bincode serialization format (instead of JSON or CBOR), an attacker could provide a binary object containing a subquery that would be executed while processing SIGNIN and SIGNUP queries defined in record access methods. These queries would be executed under a system user session with editor role privileges (GitHub Advisory).

Impact

If a record access method was configured with SIGNIN or SIGNUP queries and the SurrealDB RPC API was exposed to untrusted users, an attacker could craft a binary object containing a subquery to execute during authentication. This would allow them to select, create, update, and delete non-IAM resources with system user editor role permissions. However, attackers could not directly view query results or manipulate IAM resources, as those require owner role privileges (GitHub Advisory).

Mitigation and workarounds

For users unable to update, several workarounds are available: 1) Restrict access to the SurrealDB RPC API by only allowing requests to the /rpc endpoint with application/json content type, 2) If the RPC API is only used by trusted clients or not used at all, disable or restrict access to the /rpc endpoint, 3) Temporarily remove record access methods that define SIGNIN and SIGNUP clauses. The permanent fix involves updating to versions 1.5.5 or later for the 1.x series, or 2.0.0-beta.3 or later for the 2.x series, which implement validation of objects provided during sign-in and sign-up operations (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related Rust vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66627	HIGH	8.4	Rust	wasmi	No	Yes	Dec 09, 2025
GHSA-xrv8-2pf5-f3q7	MEDIUM	6	Rust	nitro-tpm-pcr-compute	No	Yes	Dec 05, 2025
CVE-2025-67487	MEDIUM	5.5	Rust	static-web-server	No	Yes	Dec 09, 2025
CVE-2025-66622	LOW	1.3	Rust	matrix-sdk-base	No	Yes	Dec 09, 2025
RUSTSEC-2025-0135	N/A	N/A	Rust	matrix-sdk-base	No	Yes	Dec 08, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-64f8-pjgr-9wmr: Rust vulnerability analysis and mitigation