chore(deps): update rust crate surrealdb to v2.6.1 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
surrealdb	dependencies	minor	2.3.3 → 2.6.1

GitHub Vulnerability Alerts

CVE-2025-11060

LIVE SELECT statements are used to capture changes to data within a table in real time. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead the leaked documents reflect the context of the user triggering the notification.

This allows a record or guest user with permissions to run live query subscriptions on a table to observe unauthorised records within the same table, when another user is altering or deleting these records, bypassing access controls.

Impact

A record or guest user with permissions to run live query subscriptions on a table is able to observe unauthorised records within the same table, with unauthorised records returned when deleted, or when records matching the WHERE conditions are created, updated, or deleted, by another user. This impacts confidentiality, limited to the table the attacker has access to, and with the data disclosed dependent of the actions taken by other users.

Patches

A patch has been created for the following versions:

• Versions 2.1.9, 2.2.8 and 2.3.8 and later are not affected by this issue.
• The first release following v3.0.0-alpha.7 will be patched.

Workarounds

Assess the impact of users with permissions on table records effectively having full read access to the table, use separate tables if required, with impacts to functionality.

GHSA-3v2x-9xcv-2v2v

Unprivileged users (for example, those with the database editor role) can create or modify fields in records that contain functions or futures. Futures are values which are only computed when the value is queried. The query executes in the context of the querying user, rather than the user who originally defined the future. Likewise, fields containing functions or custom-defined logic (closures) are executed under the privileges of the invoking user, not the creator.

This results in a confused deputy vulnerability: an attacker with limited privileges can define a malicious function or future field that performs privileged actions. When a higher-privileged user (such as a root owner or namespace administrator) executes the function or queries or modifies that record, the function executes with their elevated permissions.

Impact

An attacker who can create or update function/future fields can plant logic that executes with a privileged user’s context. If a privileged user performs a write that touches the malicious field, the attacker can achieve full privilege escalation (e.g., create a root owner and take over the server).

If a privileged user performs a read action on the malicious field, this attack vector could still be potentially be used to perform limited denial of service or, in the specific case where the network capability was explicitly enabled and unrestricted, exfiltrate database information over the network.

Patches

Versions prior to 2.5.0 and 3.0.0-beta.3 are vulnerable.

For SurrealDB 3.0, futures are no longer supported, replaced by computed fields, only available within schemaful tables.

Further to this patches for 2.5.0 and 3.0.0-beta.3:

• Implements an auth_limit on defined apis, functions, fields and events, that limits execution to the permissions of the creating user or the invoking user, whichever is lower.
• Prevents closures from being stored, that eliminates a potential attack surface. For 2.5.0 this can still be allowed by using the insecure_storable_closures capability
• Ensures the proper auth level is used to compute expressions in signin & signup

For existing apis, events, fields and functions defined prior to upgrading to 2.5.0 or 3.0.0-beta.3 auth_limit will not apply, to avoid breaking changes. These will need to subsequently be redefined so that auth_limit can take effect.

Workarounds

Users unable to patch are advised to evaluate their use of the database to identify where low privileged users are able to define logic subsequently executed by privileged users, such as apis, functions, futures fields and events, and recommended to minimise these instances.

References

Futures
Closures
SurrealDB Environment Variables

GHSA-xx7m-69ff-9crp

In SurrealDB instances with the scripting capability enabled (--allow-scripting), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.

The query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.

Whilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (--allow-guests), is enabled, then guests can perform this attack.

Impact

Any user able to execute queries on a SurrealDB instance with scripting enabled (--allow-scripting) can cause complete denial of service. The server process terminates immediately without graceful shutdown.

The underlying cause of the vulnerability is a null pointer dereference in the QuickJS-NG v0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data.

Patches

Versions prior to SurrealDB v2.6.1 and v3.0.0-beta.3 are vulnerable.

The patches for SurrealDB v2.6.1 and v3.0.0-beta.3 update the rquickjs dependency from v0.9.0 to v0.11.0, which in turn uses an updated version of QuickJS-NG.

Workarounds

Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.

Administrators can also use --deny-arbitrary-query to deny arbitrary querying by either guest, record or system users, or a combination of those, with impacts to functionality for those users.

Links

SurrealDB Documentation - Capabilities
SurrealDB Documentation - Guest Access
SurrealQL Documentation - Scripting Functions
quickjs-ng v0.9 Release Notes
https://github.com/surrealdb/surrealdb/pull/6833
https://github.com/surrealdb/surrealdb/pull/6774

---

Release Notes

surrealdb/surrealdb (surrealdb)

v2.6.1: Release 2.6.1

Compare Source

Release 2.6.1

v2.6.0: Release 2.6.0

Compare Source

Release 2.6.0

v2.5.0: Release 2.5.0

Compare Source

Release 2.5.0

v2.4.1: Release 2.4.1

Compare Source

Release 2.4.1

v2.4.0: Release 2.4.0

Compare Source

Release 2.4.0

v2.3.10: Release 2.3.10

Compare Source

Release 2.3.10

v2.3.9: Release 2.3.9

Compare Source

Release 2.3.9

v2.3.8: Release 2.3.8

Compare Source

Release 2.3.8

v2.3.7: Release 2.3.7

Compare Source

Release 2.3.7

v2.3.6: Release 2.3.6

Compare Source

Release 2.3.6

v2.3.5: Release 2.3.5

Compare Source

Release 2.3.5

v2.3.4: Release 2.3.4

Compare Source

Release 2.3.4

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.