Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01OGo5LWoyZmotdjhmNM4AA4lB
SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface
SurrealDB depends on the tungstenite and tokio-tungstenite crates used by the axum crate, which handles connections to the SurrealDB WebSocket interface. On versions before 0.20.1, the tungstenite crate presented an issue which allowed the parsing of HTTP headers during the client handshake to continuously consume high CPU when the headers were very long. All affected crates have been updated in SurrealDB version 1.1.0.
From the original advisory for CVE-2023-43669:
"The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes)."
Impact
A remote unauthenticated attacker may cause a SurrealDB server that exposes its WebSocket interface to consume high CPU by sending an HTTP request with a very long header to the WebSocket interface, potentially leading to denial of service.
Patches
- Version 1.1.0 and later are not affected by this issue.
Workarounds
Users unable to update may be able to limit access to the WebSocket interface (i.e. the /rpc endpoint) via reverse proxy if not in use or only used by a limited number of trusted clients. Alternatively, a reverse proxy may be used to strip or truncate request headers exceeding a reasonable length before reaching the SurrealDB server.
References
- #2807
- https://nvd.nist.gov/vuln/detail/CVE-2023-43669
- https://rustsec.org/advisories/RUSTSEC-2023-0065.html
- https://github.com/snapview/tungstenite-rs/issues/376
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OGo5LWoyZmotdjhmNM4AA4lB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-58j9-j2fj-v8f4
References:
- https://github.com/surrealdb/surrealdb/security/advisories/GHSA-58j9-j2fj-v8f4
- https://nvd.nist.gov/vuln/detail/CVE-2023-43669
- https://github.com/snapview/tungstenite-rs/issues/376
- https://github.com/surrealdb/surrealdb/pull/2807
- https://github.com/surrealdb/surrealdb/commit/87859158d3750b03564613de70b5ec4ae090549d
- https://rustsec.org/advisories/RUSTSEC-2023-0065.html
- https://github.com/advisories/GHSA-58j9-j2fj-v8f4
Blast Radius: 16.5
Affected Packages
cargo:surrealdb
Dependent packages: 22Dependent repositories: 158
Downloads: 107,395 total
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 1.0.0, 1.0.1, 1.0.2
All unaffected versions: 1.1.0, 1.1.1, 1.2.0, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.2