GHSA-h4f5-h82v-5w4r: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-h4f5-h82v-5w4r) affects the rand::time() function in SurrealQL, which was discovered and disclosed on November 22, 2024. This moderate severity issue impacts SurrealDB versions prior to 2.1.0, specifically affecting both the surrealdb and surrealdb-core Rust packages. The vulnerability stems from the function's handling of random time generation from Unix timestamps, where the underlying use of timestamp_opt from the chrono crate could return None, leading to a panic when unwrap was called on its result (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate), with the following characteristics: Network attack vector, Low attack complexity, Low privileges required, No user interaction needed, Unchanged scope, No impact on confidentiality and integrity, but High impact on availability. The issue is classified under CWE-248 and occurs when the rand::time() function processes Unix timestamps using the chrono crate's timestamp_opt functionality (GitHub Advisory).

The vulnerability's primary impact is a potential denial of service condition. When exploited, an authorized client can trigger a server crash by making repeated calls (in the order of millions) to the rand::time() function, effectively disrupting the service availability (GitHub Advisory).

The vulnerability has been patched in version 2.1.0, where the function has been updated to guarantee that a datetime is returned or an error is gracefully handled. For users unable to update, recommended workarounds include limiting untrusted clients' ability to run the rand::time() function using security capabilities and ensuring the SurrealDB process is configured for automatic restart after crashes (GitHub Advisory, Pull Request).