CVE-2025-25069

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-25069
A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, which fixes the issue.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t Mailing List Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2016-10517 Not Applicable
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:kvrocks:*:*:*:*:*:*:*:*
History

16 Jul 2025, 14:47

Type Values Removed Values Added
CPE cpe:2.3:a:apache:kvrocks:*:*:*:*:*:*:*:*
First Time Apache
Apache kvrocks
References () https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t - () https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t - Mailing List, Vendor Advisory
References () https://www.cve.org/CVERecord?id=CVE-2016-10517 - () https://www.cve.org/CVERecord?id=CVE-2016-10517 - Not Applicable

13 Feb 2025, 22:15

Type Values Removed Values Added
Summary
  • (es) Se ha detectado una vulnerabilidad de Cross-Protocol Scripting en Apache Kvrocks. Dado que Kvrocks no detecta si aparece "Host:" o "POST" en las solicitudes RESP, también se puede enviar una solicitud HTTP válida a Kvrocks como una solicitud RESP válida y activar algunas operaciones de base de datos, lo que puede ser peligroso cuando se encadena con SSRF. Es similar a CVE-2016-10517 en Redis. Este problema afecta a Apache Kvrocks: desde la versión inicial hasta la última versión 2.11.0. Se recomienda a los usuarios que actualicen a la versión 2.11.1, que soluciona el problema.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5

07 Feb 2025, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-07 13:15

Updated : 2025-07-16 14:47

NVD link : CVE-2025-25069

Mitre link : CVE-2025-25069

CVE.ORG link : CVE-2025-25069

JSON object : View

Products Affected

apache

  • kvrocks
CWE
CWE-115

Misinterpretation of Input