Skip to content

Fix SurrealDB injection vulnerability in backup import#4

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/fix-surrealdb-injection-01Sqvyz3cwZusfyKobV3T2WR
Dec 7, 2025
Merged

Fix SurrealDB injection vulnerability in backup import#4
hyperpolymath merged 1 commit into
mainfrom
claude/fix-surrealdb-injection-01Sqvyz3cwZusfyKobV3T2WR

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Fixes the following Dependabot security alerts:

  • GHSA-ccj3-5p93-8p42: Server-takeover via SurrealQL injection (Critical)
  • CPU exhaustion via custom functions (High)
  • Memory exhaustion via string::replace using regex (High)
  • Uncaught exception in Net module causing DB crash (High)
  • Improper Authorization in Select Permissions (High)
  • Unauthorized Data Exposure via LIVE Query (Moderate)
  • Uncaught Exception Sorting Tables by Random Order (Moderate)
  • Uncaught Exception in Random Time Function (Moderate)
  • Memory exhaustion via nested functions/scripts (Moderate)
  • SSRF bypass via redirect (Moderate)
  • Uncaught Exception Handling Nonexistent Role (Moderate)
  • No JavaScript timeout facilitating DoS (Low)
  • Local file read via analyzers (Low)

Minimum patched versions: 2.0.5, 2.1.5, 2.2.2
Updated to: 2.4 (latest stable)

Fixes the following Dependabot security alerts:
- GHSA-ccj3-5p93-8p42: Server-takeover via SurrealQL injection (Critical)
- CPU exhaustion via custom functions (High)
- Memory exhaustion via string::replace using regex (High)
- Uncaught exception in Net module causing DB crash (High)
- Improper Authorization in Select Permissions (High)
- Unauthorized Data Exposure via LIVE Query (Moderate)
- Uncaught Exception Sorting Tables by Random Order (Moderate)
- Uncaught Exception in Random Time Function (Moderate)
- Memory exhaustion via nested functions/scripts (Moderate)
- SSRF bypass via redirect (Moderate)
- Uncaught Exception Handling Nonexistent Role (Moderate)
- No JavaScript timeout facilitating DoS (Low)
- Local file read via analyzers (Low)

Minimum patched versions: 2.0.5, 2.1.5, 2.2.2
Updated to: 2.4 (latest stable)
@hyperpolymath hyperpolymath merged commit 3bacb72 into main Dec 7, 2025
0 of 7 checks passed
@hyperpolymath hyperpolymath deleted the claude/fix-surrealdb-injection-01Sqvyz3cwZusfyKobV3T2WR branch December 7, 2025 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants