GHSA-m52v-24p8-654f: 
Rust vulnerability analysis and mitigation

A vulnerability in SurrealDB versions prior to 2.1.0 was discovered where sorting table records using an ORDER BY clause with the rand() function could cause a server panic. The issue (GHSA-m52v-24p8-654f) was caused by a comparison function that did not implement total order, which became problematic after a recent change in Rust 1.81. The vulnerability was discovered in October 2024 and patched in version 2.1.0 (GitHub Advisory).

The vulnerability stemmed from an invalid shuffling implementation where the sorting mechanism attempted to generate random numbers during each comparison and then compare those numbers. This approach failed to guarantee a total ordering, which could lead to infinite sorting attempts and ultimately cause the server to panic. The issue was particularly triggered when executing queries using 'ORDER BY rand()' clause (SurrealDB PR 4989). The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability could allow an authenticated client to cause a denial of service by executing a query with ORDER BY rand(), resulting in a server crash. While the impact was limited to availability with no effect on confidentiality or integrity, it could disrupt service operations by forcing the server to restart (GitHub Advisory).

The issue has been fixed in SurrealDB version 2.1.0 by updating the sorting algorithm to guarantee total order when shuffling records. For users unable to update, recommended workarounds include limiting the ability of untrusted clients to run arbitrary SurrealQL queries and ensuring the SurrealDB process is configured to automatically restart after a crash (GitHub Advisory).