Commit 69f32d4
committed
fix(security): upgrade surrealdb from 1.5 to 2.4 to address 13 CVEs
Fixes the following Dependabot security alerts:
- GHSA-ccj3-5p93-8p42: Server-takeover via SurrealQL injection (Critical)
- CPU exhaustion via custom functions (High)
- Memory exhaustion via string::replace using regex (High)
- Uncaught exception in Net module causing DB crash (High)
- Improper Authorization in Select Permissions (High)
- Unauthorized Data Exposure via LIVE Query (Moderate)
- Uncaught Exception Sorting Tables by Random Order (Moderate)
- Uncaught Exception in Random Time Function (Moderate)
- Memory exhaustion via nested functions/scripts (Moderate)
- SSRF bypass via redirect (Moderate)
- Uncaught Exception Handling Nonexistent Role (Moderate)
- No JavaScript timeout facilitating DoS (Low)
- Local file read via analyzers (Low)
Minimum patched versions: 2.0.5, 2.1.5, 2.2.2
Updated to: 2.4 (latest stable)1 parent 95370b8 commit 69f32d4
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
| 35 | + | |
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
| |||
0 commit comments