Cross-Protocol Scripting Vulnerability in Apache Kvrocks
CVE-2025-25069

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Kvrocks
Vendor: CVE Published:; 7 February 2025

Summary

A Cross-Protocol Scripting vulnerability exists in Apache Kvrocks due to inadequate validation of HTTP requests within RESP protocol handling. This flaw allows malicious actors to send crafted HTTP requests that Kvrocks incorrectly interprets as valid RESP commands. The vulnerability could lead to dangerous database operations, especially when exploited in conjunction with Server-Side Request Forgery (SSRF) attacks. Users are advised to upgrade to Kvrocks version 2.11.1 to mitigate this issue.

Affected Version(s)

Apache Kvrocks 0 <= 2.11.0

References

https://www.cve.org/CVERecord?id=CVE-2016-10517

https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 7, 2025
Vulnerability Reserved
Feb 3, 2025

Credit

Sergey Volosatov