GHSA-6r8p-hpg7-825g: 
Rust vulnerability analysis and mitigation

GHSA-6r8p-hpg7-825g is a moderate severity vulnerability affecting SurrealDB versions prior to 1.1.0, discovered and disclosed in January 2024. The vulnerability involves uncontrolled recursion in SurrealQL parsing where the parser attempts to recursively parse nested statements or idioms without properly checking the depth limit established by the SURREAL_MAX_COMPUTATION_DEPTH environment variable (GitHub Advisory).

The vulnerability is characterized by the SurrealQL parser's failure to properly enforce recursion depth limits when processing nested statements including IF and RELATE statements, nested basic idioms, and nested attribute access. This oversight can result in stack overflow conditions when the nesting depth exceeds certain levels. The vulnerability has been assigned a CVSS score of 6.5 (Moderate) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network vector attack capability with low complexity and required privileges (GitHub Advisory).

The primary impact of this vulnerability is the potential for denial of service attacks. An authenticated attacker with the ability to run queries on a SurrealDB server can craft queries with deeply nested statements that exceed the stack limits, causing the server to crash (GitHub Advisory).

The vulnerability has been patched in SurrealDB version 1.1.0 and later releases. For users unable to update immediately, recommended workarounds include limiting the ability of untrusted users to run arbitrary SurrealQL queries and ensuring the SurrealDB process is configured to automatically restart after crashes to minimize denial of service impact (GitHub Advisory).