GHSA-ccj3-5p93-8p42: 
Rust vulnerability analysis and mitigation

A critical vulnerability (GHSA-ccj3-5p93-8p42) was discovered in SurrealDB's command-line tool, affecting versions prior to 2.2.2, 2.1.5, and 2.0.5. The vulnerability involves improper sanitization of table and field names during database exports, which can lead to SurrealQL injection when the backup is reimported. This security flaw was identified during a code audit and penetration test conducted by cure53 and was disclosed on April 10, 2025 (GitHub Advisory).

The vulnerability stems from insufficient sanitization of table and field names in the export functionality. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL, which becomes injectable during the import operation. The vulnerability has been assigned a Critical severity rating with a CVSS v4 score of 9.4, characterized by Network attack vector, Low attack complexity, and High impact across confidentiality, integrity, and availability metrics (GitHub Advisory).

The exploitation of this vulnerability can result in privilege escalation and complete takeover (root access) of the SurrealDB instance. Additionally, it enables SurrealQL injection attacks against co-tenanted applications where SurrealDB serves as a shared backend for multiple applications. The vulnerability particularly affects applications that allow users to define custom fields or tables, even when query parameters are properly sanitized (GitHub Advisory).

The issue has been patched in versions 2.0.5, 2.1.5, 2.2.2 and later by fixing bugs in the exporter that failed to escape certain characters properly. For users unable to upgrade, it is recommended to manually inspect exported data for injected statements prior to importing. The patch addresses the vulnerability by improving character escaping in the export functionality (GitHub Advisory).