GHSA-jm4v-58r5-66hj: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-jm4v-58r5-66hj) affects SurrealDB versions prior to 1.1.1, discovered and disclosed in January 2024. The issue involves an uncaught exception that occurs when custom parameters and functions, which are only supported at the database level, are invoked at the root or namespace level. This vulnerability was assigned a moderate severity rating with a CVSS score of 6.5 (GitHub Advisory).

The vulnerability is characterized by a panic condition that occurs when parameters or functions are called at inappropriate levels within SurrealDB. The technical assessment shows a CVSS v3.1 base metric configuration of AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network vector attack capability with low complexity and requiring low privileges. The vulnerability is classified under CWE-248, emphasizing the uncaught exception nature of the issue (GitHub Advisory).

The primary impact of this vulnerability is a denial of service condition. When exploited, it causes the SurrealDB server to crash, disrupting service availability. Any client with authorization to execute queries at the root or namespace level can trigger this vulnerability, potentially affecting the entire database service (GitHub Advisory).

The vulnerability has been patched in SurrealDB version 1.1.1 and later versions. For users unable to update immediately, recommended workarounds include limiting untrusted users' ability to run arbitrary SurrealQL queries to the database level only. Additionally, administrators should configure the SurrealDB process to automatically restart after a crash to minimize service disruption (GitHub Advisory).