Description
RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14.
Published: 2026-05-05
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in RedisTimeSeries versions prior to 1.12.14 allows an authenticated attacker with permission to run the RESTORE command to supply a crafted serialized payload. The module does not properly validate the payload, leading to an invalid memory access that may result in remote code execution. The vulnerability is classified as a buffer overflow.

Affected Systems

RedisTimeSeries, any Redis deployment that loads the module before version 1.12.14. The impact applies to the full server process, as the vulnerable operation runs with the Redis server's privileges.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, so the exact likelihood of exploitation in the wild is uncertain. An attacker must authenticate and be granted the RESTORE command; once those conditions are met, the flaw can be triggered by sending a malicious payload. The genuine exploitation path requires no additional privileges beyond the RESTORE permission.

Generated by OpenCVE AI on May 5, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply RedisTimeSeries version 1.12.14 or later to address the memory validation issue.
  • If an upgrade cannot be applied immediately, configure ACL rules to deny the RESTORE command to all users except those that truly need it.
  • Until the module is patched or disabled, consider removing RedisTimeSeries from the running Redis instance to eliminate the attack surface.

Generated by OpenCVE AI on May 5, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14.
Title RedisTimeSeries RESTORE invalid memory access may allow remote code execution
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T16:48:29.385Z

Reserved: 2026-02-03T01:02:46.716Z

Link: CVE-2026-25588

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T17:17:03.800

Modified: 2026-05-05T19:38:32.193

Link: CVE-2026-25588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:30:29Z

Weaknesses