Summary
SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter
Advisory details
SurrealDB's full-text search lets you define a text analyzer whose mapper filter loads a term-mapping file from disk (DEFINE ANALYZER ... FILTERS mapper('<path>')). A database user with the EDITOR or OWNER role could point that filter at any file the SurrealDB process can read and have its content returned in the query's error message.
File access is meant to be restricted by the SURREAL_FILE_ALLOWLIST setting, but an empty allowlist applied no restriction at all — and empty is the default.
Impact
The file is read with the privileges of the SurrealDB process, so a database EDITOR or OWNER user can disclose the contents of any file the process can access. Only the first line of the file is returned, except for files with no newlines.
However recovering the process's command line and environment could expose startup root credentials (--user / --pass) and secret environment variables, escalating a single-database role toward full control of the instance.
The read on the underlying filesystem is bounded by what the SurrealDB process can reach — any file readable by the OS user it runs as — so the impact scales with how the process is run and what is mounted into it.
Patches
A patch has been included in SurrealDB 3.1.5.
File access is now secure by default. check_is_path_allowed denies every path when no SURREAL_FILE_ALLOWLIST is configured, so the mapper filter cannot open any file unless the operator has explicitly allowed its directory. Analyzer parse errors no longer include the contents of the mapped file, only the line number.
Workarounds
Users unable to upgrade are advised to consider the following:
- Set
SURREAL_FILE_ALLOWLISTto a directory that contains only the intended mapping files; this confines themapperfilter to that path. On affected versions the allowlist must be non-empty to have any effect. - Grant the
EDITORandOWNERdatabase roles only to trusted principals. - Avoid supplying secrets — including the root credentials — on the command line or through environment variables; prefer mounted files with least-privilege permissions.
References
- SurrealQL Documentation — DEFINE ANALYZER
- SurrealDB Documentation — Capabilities
- Related earlier advisory: GHSA-2cvj-g5r5-jrrg local file read of 2-column TSV files via analyzers
- https://github.com/surrealdb/surrealdb/pull/5600
- fix(iam): deny filesystem access by default and stop leaking file content in analyzer errors
Acknowledgements
Thanks to Jan Kahmen (@kah-ja) for finding and reporting this issue.
References
Related vulnerabilities
All Supply chain →- CRITICALCVE-2026-54352
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
- HIGHGHSA-74p7-6h78-gw8p
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery
- MEDIUMCVE-2026-44517
Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive
- MEDIUMCVE-2026-31978
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
- HIGHGHSA-869j-r97x-hx2g
Anki's local HTTP server does not sufficiently validate requests
- MEDIUMGHSA-4xgf-cpjx-pc3j
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size