oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting Vulnerability

From: Mingyang Liu <twice () apache org>
Date: Fri, 07 Feb 2025 12:31:57 +0000
Severity: Moderate

Affected versions:

- Apache Kvrocks through 2.11.0

Description:

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.

Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests,
a valid HTTP request can also be sent to Kvrocks as a valid RESP request 
and trigger some database operations, which can be dangerous when 
it is chained with SSRF.

It is similiar to CVE-2016-10517 in Redis.

This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.

Users are recommended to upgrade to version 2.11.1, which fixes the issue.

Credit:

Sergey Volosatov (reporter)

References:

https://www.cve.org/CVERecord?id=CVE-2016-10517
https://kvrocks.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-25069
Previous By Date Next
Previous By Thread Next

Current thread: