CVE-2025-11060
📋 TL;DR
This vulnerability in the SurrealDB database engine allows record or guest users to observe unauthorized records within the same table by exploiting crafted LIVE SELECT subscriptions when other users modify or delete records. It bypasses access controls and affects any system using vulnerable versions of SurrealDB with live query subscriptions enabled.
💻 Affected Systems
- SurrealDB
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could access sensitive data they shouldn't have permission to view, potentially exposing confidential information, personal data, or proprietary business records.
Likely Case
Limited data exposure within specific tables where live queries are active, potentially revealing some unauthorized records to users with partial access.
If Mitigated
With proper access controls and monitoring, impact is limited to potential minor data leakage that can be quickly detected and contained.
🎯 Exploit Status
Requires attacker to have some level of access (record or guest user) and knowledge of live query mechanisms. Exploitation timing depends on other users' actions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version including commit d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-11060
Restart Required: No
Instructions:
1. Update SurrealDB to version containing fix commit d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c. 2. Verify the fix by checking the commit hash in your installation. 3. No database restart required for patch application.
🔧 Temporary Workarounds
Disable Live Query Subscriptions
allTemporarily disable LIVE SELECT functionality to prevent exploitation while patching.
Configure SurrealDB to reject or ignore LIVE SELECT queries
Restrict User Permissions
allLimit record and guest user access to tables where live queries are used.
REVOKE SELECT, LIVE permissions from vulnerable user accounts
🧯 If You Can't Patch
- Disable live query subscriptions entirely in production environments
- Implement additional application-level access controls to filter live query results
🔍 How to Verify
Check if Vulnerable:
Check if your SurrealDB version includes commit d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c. If not, and live queries are enabled, you are vulnerable.Check Version:
surrealdb version | grep -i commitVerify Fix Applied:
Verify the commit hash is present in your SurrealDB installation and test that live queries no longer leak unauthorized records.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of LIVE SELECT queries from record/guest users
- Multiple failed access attempts followed by successful live queries
Network Indicators:
- Increased volume of subscription traffic to unauthorized tables
- Abnormal timing of live query requests coinciding with other users' modifications
SIEM Query:
source="surrealdb" AND ("LIVE SELECT" OR "subscription") AND user_type IN ("record", "guest")🔗 References
- https://access.redhat.com/security/cve/CVE-2025-11060
- https://bugzilla.redhat.com/show_bug.cgi?id=2394708
- https://github.com/surrealdb/surrealdb
- https://github.com/surrealdb/surrealdb/commit/d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c
- https://github.com/surrealdb/surrealdb/pull/6247
- https://github.com/surrealdb/surrealdb/security/advisories/GHSA-7vm2-j586-vcvc
- https://surrealdb.com/docs/surrealql/statements/live
