GHSA-m24x-r6q3-2vp9: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-m24x-r6q3-2vp9) affects SurrealDB's HTTP REST API, where the ID, DB, and NS headers would fail to parse when containing special characters, causing a server crash leading to denial of service. The issue was discovered and disclosed in January 2024, affecting SurrealDB versions prior to 1.1.0. This vulnerability specifically impacts the SurrealDB binary but does not affect the SurrealDB library (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High severity) with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, Availability: High. The technical identifier for this weakness is CWE-248. The vulnerability is triggered when special characters are included in the HTTP headers (ID, DB, and NS) processed by the SurrealDB HTTP REST API (GitHub Advisory).

An unauthenticated attacker can cause a denial of service by sending HTTP requests containing special characters in the affected headers to the SurrealDB HTTP REST API. The server will crash upon processing these malformed headers. The vulnerability can be exploited without any special server configurations beyond having the HTTP REST API exposed (GitHub Advisory).

The vulnerability has been patched in SurrealDB version 1.1.0 and later versions. For users unable to update immediately, it is recommended to limit untrusted access to the SurrealDB HTTP REST API unless required by the application. Additionally, administrators should ensure the SurrealDB process is configured to automatically restart after a crash to minimize the impact of potential denial of service attacks (GitHub Advisory).