Skip to content

Commit 69f32d4

Browse files
committed
fix(security): upgrade surrealdb from 1.5 to 2.4 to address 13 CVEs
Fixes the following Dependabot security alerts: - GHSA-ccj3-5p93-8p42: Server-takeover via SurrealQL injection (Critical) - CPU exhaustion via custom functions (High) - Memory exhaustion via string::replace using regex (High) - Uncaught exception in Net module causing DB crash (High) - Improper Authorization in Select Permissions (High) - Unauthorized Data Exposure via LIVE Query (Moderate) - Uncaught Exception Sorting Tables by Random Order (Moderate) - Uncaught Exception in Random Time Function (Moderate) - Memory exhaustion via nested functions/scripts (Moderate) - SSRF bypass via redirect (Moderate) - Uncaught Exception Handling Nonexistent Role (Moderate) - No JavaScript timeout facilitating DoS (Low) - Local file read via analyzers (Low) Minimum patched versions: 2.0.5, 2.1.5, 2.2.2 Updated to: 2.4 (latest stable)
1 parent 95370b8 commit 69f32d4

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

src/rust-routing/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ reqwest = { version = "0.11", features = ["json"] }
3232
redis = { version = "0.24", features = ["tokio-comp", "connection-manager"] }
3333

3434
# Database clients
35-
surrealdb = { version = "1.5", features = ["protocol-ws"] }
35+
surrealdb = { version = "2.4", features = ["protocol-ws"] }
3636

3737
# Decimal for money
3838
rust_decimal = { version = "1.33", features = ["serde"] }

0 commit comments

Comments
 (0)