GHSA-XX7M-69FF-9CRP: SurrealDB's Poison Pill: Crashing the Database with a Single String

SurrealDB's Poison Pill: Crashing the Database with a Single String Vulnerability ID: GHSA-XX7M-69FF-9CRP CVSS Score: 6.5 Published: 2026-02-12 A critical Denial of Service vulnerability exists in SurrealDB's embedded JavaScript engine, QuickJS. By defining a scripting function containing an excessively large string literal, an attacker can trigger a Null Pointer Dereference (CWE-476) within the compilation phase. This memory safety violation bypasses Rust's safety guarantees, causing the entire database process to terminate immediately via a segmentation fault. TL;DR SurrealDB embeds the QuickJS engine to allow inline JavaScript functions. A flaw in how QuickJS handles massive string literals during compilation allows an attacker to trigger a Null Pointer Dereference. By submitting a crafted SurrealQL query that generates a huge string and feeds it to the JS engine, an authenticated user can crash the server instantly. The fix involves updating the internal rquickjs dependency. ⚠️ Exp

GHSA-XX7M-69FF-9CRP: SurrealDB's Poison Pill: Crashing the Database with a Single String

Related Articles

8-Bit Music Theory: How They Made The Great Sea Feel C U R S E D

Smart Ward Assistant

I Built a SaaS App on a Broken Phone with Zero Budget - Here’s What Happened

The Developer Took Revenge on the Manager — But Not the Way You’d Expect

Your Reference Types Are Breaking Encapsulation — Here’s Why

Related Articles

News
8-Bit Music Theory: How They Made The Great Sea Feel C U R S E D
Dev.to • 1h ago

News
Smart Ward Assistant
Medium Programming • 1h ago

News
I Built a SaaS App on a Broken Phone with Zero Budget - Here’s What Happened
Medium Programming • 2h ago

News
The Developer Took Revenge on the Manager — But Not the Way You’d Expect
Medium Programming • 2h ago

News
Your Reference Types Are Breaking Encapsulation — Here’s Why
Medium Programming • 2h ago