CVE-2025-25069

CWE-1153 documents3 sources
Severity
6.5MEDIUM
EPSS
0.8%
top 25.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache KvrocksApache Software Foundation Apache Kvrocks
Timeline
PublishedFeb 7

Description

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, whi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

NVDapache/kvrocks< 2.11.1

🔴Vulnerability Details

2
CVEList
Apache Kvrocks: Cross-Protocol Scripting Vulnerability2025-02-07
GHSA
GHSA-fp9p-7hx8-xfp3: A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks2025-02-07
CVE-2025-25069 (MEDIUM CVSS 6.5) | A Cross-Protocol Scripting vulnerab | cvebase.io