SurrealDB 3.1.5 patches five flaws; lead is a HIGH file read
SurrealDB shipped 3.1.5 on June 19, closing five same-day GitHub advisories — including arbitrary file read via DEFINE ANALYZER mapper at CVSS 7.7. No CVE IDs assigned yet.
SurrealDB shipped 3.1.5 on June 19, 2026, closing five security advisories filed against the project on the same day. The lead bug — GHSA-cc8f-fcx3-gpjr — is a HIGH-severity arbitrary file read via the DEFINE ANALYZER mapper() filter, scored CVSS 7.7. None of the five advisories carries a CVE ID at time of writing.
Affected versions
All five list 3.1.5 as the patched ceiling. Floor and severity vary:
- File read via ANALYZER mapper — GHSA-cc8f-fcx3-gpjr. All versions below 3.1.5. CVSS 7.7 (HIGH).
- DoS via deep operator chains — GHSA-jv2j-mqmw-xvv5. 3.0.0 through 3.1.4. CVSS 6.5 (MODERATE).
- Field-level SELECT bypass via graph traversals — GHSA-hv6h-hc26-q48p. 3.1.0 through 3.1.4. CVSS 4.3.
- Indexed ORDER BY leaks restricted-field ordering — GHSA-h4h3-3rfj-x6fq. 3.0.0 through 3.1.4. CVSS 4.3.
- SSRF via JWKS URL redirect-following — GHSA-h5rg-8p7f-47g2. All versions below 3.1.5. CVSS 4.1.
All five require authentication. Three of them — the file read, the field bypass, and the JWKS SSRF — require a privileged in-database role: EDITOR or OWNER at minimum.
What the bugs do
The file read turns SurrealDB's term-mapping feature into an oracle for arbitrary file content. The DEFINE ANALYZER mapper() filter loads a key/value file from disk; when the file doesn't parse, the parser surfaces the offending line in the query error message. With SURREAL_FILE_ALLOWLIST empty (the default), an EDITOR or OWNER points the filter at any path the SurrealDB process can read and recovers the first line through the error channel. Startup credentials and environment variables sitting in systemd EnvironmentFile= or /proc/self/environ are the obvious target. Reported by Jan Kahmen (@kah-ja).
The DoS rides SurrealDB's pratt parser. A single RETURN 1 + 1 + 1 + ... repeated thousands of times builds an expression tree the parser accepts without hitting any recursion limit. Later recursive traversal during formatting or execution overflows the stack and crashes the entire process.
The field-level bypass sidesteps per-field SELECT permissions when the query uses graph traversal syntax (person:bob->(SELECT * FROM knows)) or back-reference syntax (person:bob<~(SELECT * FROM comment)). The helper that materialises records during traversal — resolve_record_batch — enforces table-level permissions only; it never runs the field filter that a direct scan would apply.
The ORDER BY leak lets a low-privilege caller infer the relative ordering of values in a hidden field. The planner applies permission checks during row projection, after sorting. If the hidden field is indexed, ORDER BY hidden_field returns rows in the hidden values' true sorted order even though the field itself comes back null.
The JWKS SSRF lets an OWNER point SurrealDB's JWT key fetcher at an attacker-controlled URL that 302-redirects into cloud-instance metadata. The network-capability allowlist is checked against the original URL but not the redirect target.
Exploitation status
No in-the-wild exploitation is reported in any of the five advisories. All five came from coordinated disclosure: the file-read bug is credited to Jan Kahmen; the others are credited to internal review.
Action checklist
- Upgrade to SurrealDB 3.1.5 today.
- If you can't upgrade immediately, set
SURREAL_FILE_ALLOWLISTto a tightly scoped directory and audit every EDITOR / OWNER role assignment. - Restrict WebSocket
/rpcfrom untrusted callers and run SurrealDB under an orchestrator (Kubernetes, systemd, Docker) with auto-restart so the operator-chain DoS doesn't translate into prolonged downtime. - Review JWT issuer configuration. Only allow JWKS URLs you control end-to-end, and confirm 3.1.5 is in place before re-enabling.
- Re-test field-level permissions after upgrade if you rely on them as a security boundary; before 3.1.5 they could be sidestepped via graph traversal or inferred via indexed ORDER BY.
Context
SurrealDB has shipped advisory clusters at this scale before. The 3.1 series opened with a notably larger batch of security fixes than prior majors — the project's own 3.1 release blog describes the surge as a deliberate investment in internal review, including LLM-assisted audit. 3.1.5 continues that pattern: five advisories filed and resolved in a single same-day release. Operators running SurrealDB with permissive role assignments — EDITOR or OWNER given to anything outside a tightly controlled admin path — should treat the file-read primitive as the bug that matters most. Reading the first line of /proc/self/environ is enough to recover the database's own startup secrets in many deployments, which collapses the remaining trust boundary between an authenticated EDITOR and full instance compromise.