CVE-2024-58368

high

Description

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests with malformed header values to trigger an uncaught exception that crashes the server.

References

https://www.vulncheck.com/advisories/surrealdb-before-denial-of-service-via-http-headers

https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m24x-r6q3-2vp9

Details

Source: Mitre, NVD

Published: 2026-07-18

Updated: 2026-07-18

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Severity: High