VYPR
Unrated severityNVD Advisory· Published Feb 7, 2025· Updated Feb 13, 2025

Apache Kvrocks: Cross-Protocol Scripting Vulnerability

CVE-2025-25069

Description

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.

Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF.

It is similiar to CVE-2016-10517 in Redis.

This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.

Users are recommended to upgrade to version 2.11.1, which fixes the issue.

Affected products

2
  • Apache/Kvrocksllm-fuzzy
    Range: <=2.11.0
  • Apache Software Foundation/Apache Kvrocksv5
    Range: 0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.