#auth

### Impact When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream. ### Patches If you are using ch-go library, we recommend you to update to at least version 0.65.0. ### Credit This issue was found by lixts and reported through our bugcrowd program.

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Russian APT group Storm-2372 employs device code phishing to bypass Multi-Factor Authentication (MFA). Targets include government, technology, finance,…

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without…

TL;DR: A critical deserialization vulnerability (CVSS 9.8 – CVE-2025-27520) in BentoML (v1.3.8–1.4.2) lets attackers execute remote code without…

The US indicated they will sign the Pall Mall Pact, an international treaty to regulate commercial spyware and surveillance tools.

SurrealDB offers http functions that can access external network endpoints. A typical, albeit [not recommended ](https://surrealdb.com/docs/surrealdb/reference-guide/security-best-practices#example-deny-all-capabilities-with-some-exceptions) configuration would be to start SurrealDB with all network connections allowed with the exception of a deny list. For example, `surreal start --allow-net --deny-net 10.0.0.0/8` will allow all network connections except to the 10.0.0.0/8 block. An authenticated user of SurrealDB can use redirects to bypass this restriction. For example by hosting a server on the public internet which redirects to the IP addresses blocked by the administrator of the SurrealDB server via HTTP 301 or 307 response codes. When sending SurrealDB statements containing the `http::*` functions to the attacker controlled host, the SurrealDB server will follow the redirects to the blocked IP address. Because the statements also return the responses to the attacker, this iss...

SurrealDB allows authenticated users with `OWNER` or `EDITOR` permissions at the root, database or namespace levels to define their own database functions using the `DEFINE FUNCTION` statement A custom database function comprises a name together with a function body. In the function body, the user programs the functionality of the function in terms of SurrealQL. The language includes a `FOR` keyword, used to implement for-loops. Whilst the parser and interpreter constrain the number of iterations for a single for-loop, nesting several for-loops with a large number of iterations is possible. Thus, an attacker could define a function that comprises several nested for-loops with an iteration count of 1.000.000 each. Executing the function will consume all the CPU time of the server, timeouts configured will not break the CPU consumption, and the function execution monopolizes all CPU time of the SurrealDB server, effectively preventing the server from executing functions, queries, com...

An authenticated user can craft a query using the `string::replace` function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a `string::replace` function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server. This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High. ### Impact An authenticated user can crash the SurrealDB instance through memory exhaustion ### Patches A patch has been created that enforces a limit on string length `SURREAL_GENERATION_ALLOCATION_LIMIT` - Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue ### Workarounds Affected users who are unable to update may want to limit the ability of untrusted clients to run the `string::replace`...

The SurrealDB command-line tool allows exporting databases through the `export` command. It was discovered that table or field names are not properly sanitized in exports, leading to a SurrealQL injection when the backup is reimported. For the injection to occur, an authenticated System User with `OWNER` or `EDITOR` roles needs to create tables or fields with malicious names containing SurrealQL, subsequently exported using the `export` operation The attacker could achieve a privilege escalation and root level access to the SurrealDB instance if a higher privileged user subsequently performs the `import` operation. Furthermore, applications using SurrealDB that allow its users to define custom fields or tables are at risk of a universal second order SurrealQL injection, even if query parameters are properly sanitized. This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is ...