GHSA-qjrv-v6qp-x99x: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-qjrv-v6qp-x99x) affects SurrealDB versions 2.0.0 to 2.0.4 and involves an uncaught exception when handling parsing errors on empty strings. The issue was discovered and disclosed on October 8, 2024, affecting both the surrealdb and surrealdb-core Rust packages. The vulnerability occurs in the parser's error rendering code when handling failed parsing of queries where the error occurred during the conversion of an empty string to a SurrealDB value (GitHub Advisory).

The vulnerability manifests when attempting to cast an empty string to various SurrealDB data types including records, durations, or datetimes. It also occurs when parsing an empty string to JSON or providing an empty string to the type::field and type::fields functions. The issue has been assigned a CVSS v4.0 score of 7.1 (High severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-248 (GitHub Advisory).

When exploited, this vulnerability allows an authorized client to execute a malformed query that fails to parse when converting an empty string, causing a panic in the error rendering code. This results in a server crash, effectively creating a denial of service condition (GitHub Advisory).

The vulnerability has been patched in version 2.0.4. For users unable to update, it is recommended to limit the ability of untrusted clients to run arbitrary SurrealQL queries. Additionally, administrators should ensure that the SurrealDB process is configured to automatically restart after a crash to minimize the impact of potential denial of service attacks (GitHub Advisory).