GHSA-8xff-473h-f863: 
Rust vulnerability analysis and mitigation

A vulnerability identified as GHSA-8xff-473h-f863 was discovered in SurrealDB versions 1.2.0 and earlier, affecting the span rendering functionality when handling parsing errors on line terminators. The issue was published on February 19, 2024, and updated on February 21, 2024. This moderate severity vulnerability impacts the SurrealDB database server's query parsing system (GitHub Advisory).

The vulnerability stems from an uncaught exception in the span rendering code when handling failed parsing of queries where the error occurs on a line terminator character. The issue has been assigned a CVSS v3.1 base score of 6.5 (Moderate) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-248 and requires low attack complexity with network-based attack vector (GitHub Advisory).

When exploited, this vulnerability allows an authorized client to cause a denial of service by executing a malformed query that fails to parse on a line terminator character. The failed parsing triggers a panic in the span rendering code, resulting in a server crash. The vulnerability affects availability while maintaining no impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in SurrealDB version 1.2.1 and later versions. For users unable to update immediately, it is recommended to limit the ability of untrusted users to run arbitrary SurrealQL queries in affected versions. Additionally, administrators should ensure that the SurrealDB process is configured to automatically restart after a crash to minimize the impact of potential denial of service attacks (GitHub Advisory).

The vulnerability was initially reported through a user issue report describing abnormal behavior in the desktop application. The issue was subsequently investigated and confirmed by the SurrealDB team, leading to the security advisory's publication (Surrealist Issue).