Résumé
SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field
Détails de l’avis
A field can be hidden from a user with a field-level SELECT permission (DEFINE FIELD code ON secret PERMISSIONS FOR select WHERE owner = $auth.id). When that field is indexed, a record user who cannot read it could still recover the relative ordering of its values across every record by issuing ORDER BY <field>: the field came back null as intended, but the rows were returned in the hidden values' true sorted order.
To satisfy the sort, the planner selects the field's index and walks it in value order; the field-level permission is applied later, when the row is projected, so the value is nulled but the row order already encodes it. The guard that withholds restricted fields from the WHERE path was never applied to ORDER BY.
Impact
What an attacker can do:
- As a record (scope) user with table SELECT, learn the relative ordering of a field hidden by a field-level SELECT permission, across other users' records, by ordering on it when an index covers the field — the value returns
null, but the rows come back in the hidden values' order. - With rows they control in the same table, use that ordering to narrow the hidden values toward exact ones.
What it can't do:
- Read the field value directly — only its relative ordering leaks; the projected value is correctly redacted.
- Cross table, record, or namespace/database boundaries — the table's SELECT permission and any row-level
WHEREare still enforced, so only records the caller may already read are ordered. - Leak anything when the restricted field is not indexed, affect root or record-owner sessions, or modify data (confidentiality only).
Patches
The query planner now applies the field-permission guard to the ORDER BY clause as well as the WHERE clause. When an ordered field is hidden from the caller by a field-level SELECT permission, the index sort pushdown is withheld and the rows are sorted after redaction instead, so the row order no longer reflects the hidden values. The dynamic-scan fallback is closed the same way, and a regression test was added.
The fix is included in SurrealDB 3.1.5.
Workarounds
Users unable to upgrade are advised to consider the following:
- Force the legacy executor with
SURREAL_PLANNER_STRATEGY=compute-only; the sort then runs after redaction, so no ordering leaks. - Do not place an index on a field whose values are hidden by a field-level SELECT permission — without the index the leak does not occur.
- Do not rely on field-level SELECT permissions to hide values on indexed fields from record users; restrict at the table level instead.
- Use namespace / database isolation as the primary trust boundary where feasible.
References
- SurrealQL Documentation — DEFINE FIELD
- SurrealQL Documentation — DEFINE INDEX
- SurrealQL Documentation — DEFINE TABLE … PERMISSIONS
- Related advisory (same class, indexed COUNT variant): GHSA-c8jx-96c9-8xrp
fix(planner): prevent ORDER BY value-ordering oracle on restricted SELECT fieldsfix(planner): close ORDER BY value-ordering oracle on the DynamicScan fallback
Acknowledgements
Thanks to George Chen (@geo-chen) for finding and reporting this issue.
Références
Vulnérabilités liées
Tout Supply chain →- CRITICALCVE-2026-55447
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
- HIGHCVE-2026-22555
Gitea before 1.26.0 is missing a `CanCreateOrgRepo` permission check on its fork API (CVE-2026-22555). A user without permission to create repositories in an organization could fork into it and, in doing so, exfiltrate the organization's secrets. It is a broken-authorization flaw that leaks organization and CI/CD secrets to users who should not have access to them.
- LOWGHSA-g7r4-m6w7-qqqr
esbuild's development server (versions 0.27.3 up to but not including 0.28.1) allows arbitrary file read on Windows: a crafted request path can escape the served directory and read files elsewhere on disk. It affects the development server only, not production builds, but anyone running `esbuild --serve` on Windows is exposed to any local or networked attacker who can reach the server.
- CRITICALCVE-2024-23897
CVE-2024-23897 was a critical arbitrary file read vulnerability in the Jenkins automation server, identified by Sonar's Vulnerability Research and disclosed in the Jenkins security advisory on January 24, 2024, affecting Jenkins weekly up to 2.441 and LTS up to 2.426.2. Jenkins parses built-in CLI command arguments with the args4j library, whose expandAtFiles feature is enabled by default and replaces an argument that begins with an @ character followed by a file path with the contents of that file; because Jenkins never disabled this, an attacker could pass @/path/to/file as a CLI argument to make the controller read and disclose files from its filesystem. Unauthenticated attackers could read the first few lines of arbitrary files, while attackers with Overall/Read permission could read entire files, enabling theft of secrets, SSH keys, and credentials. The leaked binary secret keys could then be chained into full remote code execution by forging Remember-me cookies, abusing Resource Root URLs, bypassing CSRF protection, or decrypting stored secrets. The flaw was added to the CISA KEV catalog on August 19, 2024 and was actively exploited, including by the RansomEXX ransomware gang and the actor IntelBroker, and was linked to breaches at BORN Group and Brontoo Technology Solutions.
- CRITICALSC-MOVEIT-CLOP-2023
Starting 27 May 2023, the Clop extortion gang mass-exploited a SQL-injection zero-day, CVE-2023-34362, in Progress MOVEit Transfer, a managed file-transfer product that organizations use to move sensitive files. Before any patch existed, Clop hit internet-facing MOVEit servers across the world, planting a web shell called LEMURLOOT and stealing the contents of the underlying databases. There was no encryption and no ransomware downtime: Clop simply exfiltrated data and extorted victims by threatening to publish it on its leak site. Because MOVEit sits at the data's edge and is used by vendors of vendors, a single product flaw cascaded to about 2,770 organizations and roughly 95 million people, including governments, banks, and household-name companies. Progress patched on 31 May 2023, after exploitation was already widespread. It is the lesson that managed file-transfer and other internet-facing data apps are prime mass-exploitation targets.
- HIGHCVE-2022-24348
CVE-2022-24348 was a high-severity (CVSS 7.7) path traversal vulnerability in Argo CD, the GitOps continuous delivery tool for Kubernetes, discovered by Apiiro and disclosed in early February 2022, affecting Argo CD before 2.1.9 and 2.2.x before 2.2.4. An attacker with permission to create or update Argo CD applications could craft a malicious Kubernetes Helm chart whose values file was a symbolic link pointing outside the repository root, or pass arbitrary values files, so that when Argo CD's Helm chart processing dereferenced the link it read files belonging to other applications on the repo server. This broke the multi-tenant isolation boundary of the CD layer, letting the attacker exfiltrate sensitive data from neighboring tenants, including secrets in encrypted value files decrypted to disk by plugins such as git-crypt or SOPS, and use verbose Helm error messages to enumerate the filesystem. The issue was fixed in Argo CD 2.1.9, 2.2.4, and 2.3.0; it was treated as a zero-day at disclosure but was not associated with named ransomware operators.