Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🦀 crates.io

GHSA-x5fr-7hhj-34j3

HIGH

Full Table Permissions by Default

Published
Dec 15, 2023
Updated
Dec 15, 2023
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
🦀surrealdb

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

Default table permissions in SurrealDB were FULL instead of NONE. This would lead to tables having FULL permissions for SELECT, CREATE, UPDATE and DELETE unless some other permissions were specified via the PERMISSIONS clause.

We have decided to treat this behaviour as a vulnerability due to its security implications, especially considering the lack of specific documentation and potential for confusion due to the INFO FOR DB statement previously not displaying default permissions. Treating it as a bug fix provides justification for a change in default behavior outside of a major release.

Impact

Any client authorized to query data in a SurrealDB instance will have full access to any tables that were defined with no explicit permissions and that are within its authorization scope (i.e. namespace or database), including creating, reading, updating and deleting data. This is specially relevant for SurrealDB instances allowing guest access with publicly exposed interfaces (e.g. HTTP REST API or WebSocket API), since a remote unauthenticated user may gain full access to any tables that were defined without any explicit permissions. Tables that were defined with explicit permissions using the PERMISSIONS clause are not affected.

Patches

  • Version 1.0.1 includes a patch for this specific issue. Later releases will also include the patch.
  • Version 1.1.0-beta.1 and latest nightly releases already include the patch for this issue.

In patched versions:

  • Tables defined after the patch without explicit permissions have NONE permissions.
  • Table permissions are always explicitly displayed with the INFO FOR DB statement.

Workarounds

In unpatched versions, this issue can be resolved by explicitly defining table permissions as shown in the following examples:

-- INSECURE EXAMPLE
-- DEFINE TABLE insecure;
-- SECURE EXAMPLE 1
DEFINE TABLE secure PERMISSIONS NONE;
-- SECURE EXAMPLE 2
DEFINE TABLE secure PERMISSIONS FOR SELECT, CREATE, UPDATE, DELETE NONE;
-- SECURE EXAMPLE 3
DEFINE TABLE secure PERMISSIONS FOR
  SELECT WHERE user = $auth.id,
  CREATE, UPDATE, DELETE NONE;
-- SECURE EXAMPLE 4
DEFINE TABLE secure PERMISSIONS
  FOR select WHERE published = true OR user = $auth.id
  FOR create, update WHERE user = $auth.id
  FOR delete WHERE user = $auth.id OR $auth.admin = true;

References

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🦀crates.iosurrealdball versions1.0.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for surrealdb. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update surrealdb to 1.0.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x5fr-7hhj-34j3 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-x5fr-7hhj-34j3 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-x5fr-7hhj-34j3. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Default table permissions in SurrealDB were `FULL` instead of `NONE`. This would lead to tables having `FULL` permissions for `SELECT`, `CREATE`, `UPDATE` and `DELETE` unless some other permissions were specified via the `PERMISSIONS` clause. We have decided to treat this behaviour as a vulnerability due to its security implications, especially considering the lack of specific documentation and potential for confusion due to the `INFO FOR DB` statement previously not displaying default permissions. Treating it as a bug fix provides justification for a change in default behavior outside of a m
O3 Security · Impact-Aware SCA

Is GHSA-x5fr-7hhj-34j3 in your dependencies?

O3 detects GHSA-x5fr-7hhj-34j3 across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works