Nixpkgs security tracker

Published

Permalink CVE-2025-11060

5.7 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 5 months, 1 week ago by @LeSuisse Activity log

Created suggestion 6 months ago
@LeSuisse ignored package surrealdb-migrations 5 months, 1 week ago
@LeSuisse accepted 5 months, 1 week ago
@LeSuisse published on GitHub 5 months, 1 week ago

Surrealdb: surrealdb is vulnerable to unauthorized data exposure via live query subscriptions

A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

References

https://access.redhat.com/security/cve/CVE-2025-11060 vdb-entryx_refsource_REDHAT
RHBZ#2394708 issue-trackingx_refsource_REDHAT
https://github.com/surrealdb/surrealdb
https://github.com/surrealdb/surrealdb/commit/d81169a06b89f0c588134ddf2d62eeb8d…
https://github.com/surrealdb/surrealdb/pull/6247
https://github.com/surrealdb/surrealdb/security/advisories/GHSA-7vm2-j586-vcvc
https://surrealdb.com/docs/surrealql/statements/live

Affected products

surrealdb

<3.3.0-alpha.7
<2.2.8
<2.3.8
<2.1.9

openshift-service-mesh/istio-cni-rhel9

openshift-service-mesh/istio-pilot-rhel9

openshift-service-mesh/istio-proxyv2-rhel9

openshift-service-mesh/istio-rhel9-operator

openshift-service-mesh/istio-must-gather-rhel9

openshift-service-mesh/istio-sail-operator-bundle

openshift-service-mesh-tech-preview/istio-ztunnel-rhel9

openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9

Matching in nixpkgs

pkgs.surrealdb

Scalable, distributed, collaborative, document-graph database, for the realtime web

nixos-unstable 2.3.8
- nixpkgs-unstable 2.3.8
- nixos-unstable-small 2.3.10

Ignored packages (1)

pkgs.surrealdb-migrations

Awesome SurrealDB migration tool, with a user-friendly CLI and a versatile Rust library that enables seamless integration into any project

nixos-unstable 2.3.0
- nixpkgs-unstable 2.3.0
- nixos-unstable-small 2.3.0

Package maintainers

@happysalada Raphael Megzari <raphael@megzari.com>
@sikmir Nikolay Korotkiy <sikmir@disroot.org>
@siriobalmelli Sirio Balmelli <sirio@b-ad.ch>