CVE-2024-25115

Summary

RedisBloom adds a set of probabilistic data structures to Redis. Starting in version 2.0.0 and prior to version 2.4.7 and 2.6.10, specially crafted CF.LOADCHUNK commands may be used by authenticated users to perform heap overflow, which may lead to remote code execution. The problem is fixed in RedisBloom 2.4.7 and 2.6.10.

Affected Software

VendorProductVersion RangeStatus
RedisBloomRedisBloom>= 2.0.0, < 2.4.7affected
RedisBloomRedisBloom>= 2.5.0, < 2.6.10affected

Weaknesses

  • CWE-122: CWE-122: Heap-based Buffer Overflow
  • CWE-120: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References