GHSA-7vm2-j586-vcvc: 
Rust vulnerability analysis and mitigation

SurrealDB versions prior to 2.3.8, 2.2.8, and 2.1.9 contain a security vulnerability related to LIVE SELECT statements (GHSA-7vm2-j586-vcvc). The vulnerability was discovered and disclosed on September 11, 2025, affecting the database's real-time query subscription feature. The issue impacts SurrealDB's core functionality that allows capturing changes to data within a table in real-time (GitHub Advisory).

The vulnerability stems from improper handling of document reduction in LIVE SELECT statements. When processing documents included in WHERE conditions and DELETE notifications, the system failed to properly reduce the documents to respect the querying user's security context. Instead, the documents were exposed with the security context of the user triggering the notification. This implementation flaw affects the LIVE query subscription feature, which is used to capture real-time changes to data within tables (GitHub Advisory).

The vulnerability allows a record or guest user with permissions to run live query subscriptions on a table to observe unauthorized records within the same table. This occurs when another user is altering or deleting records, effectively bypassing access controls. The impact is limited to confidentiality breaches within tables the attacker has access to, with the extent of data disclosure dependent on actions taken by other users (GitHub Advisory).

Users are advised to upgrade to the patched versions: 2.3.8, 2.2.8, or 2.1.9, depending on their current version. For users unable to upgrade immediately, the recommended workaround is to assess the impact of users with permissions on table records effectively having full read access to the table and consider using separate tables if required, though this may impact functionality (GitHub Advisory).