Improper Input Validation vulnerability in Apache Kvrocks.

The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index
of a string. So it will cause the server to crash due to its index is  out of range.
This issue affects Apache Kvrocks: through 2.11.1.

Users are recommended to upgrade to version 2.12.0, which fixes the issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 23 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache kvrocks
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apache:kvrocks:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache kvrocks

Mon, 12 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 22 Apr 2025 09:45:00 +0000

Type Values Removed Values Added
References

Tue, 22 Apr 2025 07:30:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Kvrocks. The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index of a string. So it will cause the server to crash due to its index is  out of range. This issue affects Apache Kvrocks: through 2.11.1. Users are recommended to upgrade to version 2.12.0, which fixes the issue.
Title Apache Kvrocks: The server was crashed by the negative offset
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-05-12T15:47:39.924Z

Reserved: 2025-02-10T12:29:42.521Z

Link: CVE-2025-26413

cve-icon Vulnrichment

Updated: 2025-04-22T09:03:20.306Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-22T08:15:28.853

Modified: 2025-06-23T19:25:25.167

Link: CVE-2025-26413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.