CVE-2025-25069

EUVD-2025-4010

07.02.2025, 13:15

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.

Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests,
a valid HTTP request can also be sent to Kvrocks as a valid RESP request
and trigger some database operations, which can be dangerous when
it is chained with SSRF.

It is similiar to CVE-2016-10517 in Redis.

This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.

Users are recommended to upgrade to version 2.11.1, which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA-ADP	ADP	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
apache	kvrocks	𝑥 < 2.11.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-115 - Misinterpretation of Input
The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

References

https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t

https://www.cve.org/CVERecord?id=CVE-2016-10517