CVE-2025-71396
SurrealDB before 2.2.2 Denial of Service via JavaScript Scripting
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on embedded JavaScript scripting functions when the scripting capability is explicitly enabled (via --allow-scripting or --allow-all). An authenticated attacker can submit long-running JavaScript functions to exhaust server resources and cause a denial of service. Scripting is disabled by default.
| CWE | CWE-770 |
| Vendor | surrealdb |
| Product | surrealdb |
| Published | Jul 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for surrealdb surrealdb
Be the first to know when new unknown vulnerabilities affecting surrealdb surrealdb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
surrealdb / surrealdb
0 < 2.2.2
surrealdb / surrealdb
0 < 2.0.5
surrealdb / surrealdb
0 < 2.1.5
References
Credits
๐ cure53