How severe is GHSA-xx7m-69ff-9crp?

No CVSS score has been assigned to GHSA-xx7m-69ff-9crp yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-xx7m-69ff-9crp?

GHSA-xx7m-69ff-9crp affects the following packages: surrealdb (crates.io), surrealdb (crates.io). Ecosystems affected: crates.io.

How do I fix GHSA-xx7m-69ff-9crp?

Update surrealdb to 2.6.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xx7m-69ff-9crp is resolved across your whole dependency graph.

How do I detect GHSA-xx7m-69ff-9crp in my crates.io dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for surrealdb. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-xx7m-69ff-9crp if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-xx7m-69ff-9crp?

O3 pinpoints whether GHSA-xx7m-69ff-9crp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-xx7m-69ff-9crp actively exploited in the wild?

No public exploit code has been indexed for GHSA-xx7m-69ff-9crp yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-xx7m-69ff-9crp published, and has it been updated?

GHSA-xx7m-69ff-9crp was published on February 12, 2026 and was last updated on February 12, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🦀 crates.io

GHSA-xx7m-69ff-9crp

SurrealDB vulnerable to Denial of Service through scripting function memory edge case

Published

Feb 12, 2026

Updated

Feb 12, 2026

Affected

2 pkgs

Patched

2 / 2

Exploits

None indexed

Blast Radius

2 pkgs affected

🦀surrealdb🦀surrealdb

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

In SurrealDB instances with the scripting capability enabled (--allow-scripting), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.

The query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.

Whilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (--allow-guests), is enabled, then guests can perform this attack.

Impact

Any user able to execute queries on a SurrealDB instance with scripting enabled (--allow-scripting) can cause complete denial of service. The server process terminates immediately without graceful shutdown.

The underlying cause of the vulnerability is a null pointer dereference in the QuickJS-NG v0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data.

Patches

Versions prior to SurrealDB v2.6.1 and v3.0.0-beta.3 are vulnerable.

The patches for SurrealDB v2.6.1 and v3.0.0-beta.3 update the rquickjs dependency from v0.9.0 to v0.11.0, which in turn uses an updated version of QuickJS-NG.

Workarounds

Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.

Administrators can also use --deny-arbitrary-query to deny arbitrary querying by either guest, record or system users, or a combination of those, with impacts to functionality for those users.

Links

SurrealDB Documentation - Capabilities SurrealDB Documentation - Guest Access SurrealQL Documentation - Scripting Functions quickjs-ng v0.9 Release Notes https://github.com/surrealdb/surrealdb/pull/6833 https://github.com/surrealdb/surrealdb/pull/6774

Affected Packages

2 total 2 fixed

Ecosystem	Package	Vulnerable range	Fix
🦀crates.io	`surrealdb`	all versions	2.6.1
🦀crates.io	`surrealdb`	≥ 3.0.0-alpha.8&&< 3.0.0-beta.3	3.0.0-beta.3

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for surrealdb. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update surrealdb to 2.6.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xx7m-69ff-9crp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xx7m-69ff-9crp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-xx7m-69ff-9crp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

In SurrealDB instances with the scripting capability enabled (`--allow-scripting`), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart. The query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions. Whilst exploiting the vulnerability requires users to be able to run arbitrary que

O3 Security · Impact-Aware SCA

Is GHSA-xx7m-69ff-9crp in your dependencies?

O3 detects GHSA-xx7m-69ff-9crp across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-xx7m-69ff-9crp

Blast Radius

Description

Impact

Patches

Workarounds

Links

Affected Packages

Detection & mitigation playbook

Detect

Fix

Workarounds

How O3 protects you

Frequently Asked Questions

Is GHSA-xx7m-69ff-9crp in your dependencies?