CVE-2025-26413 – An improper input validation vulnerability in A... (How to Fix)

Q: What is the severity of CVE-2025-26413?

CVE-2025-26413 has a CVSS score of 7.5 (HIGH). An improper input validation vulnerability in Apache Kvrocks allows attackers to crash the server by sending a negative offset value to the SETRANGE command. This affects all users running Apache Kvrocks versions through 2.11.1. The vulnerability enables denial of service attacks against the database service.

📋 TL;DR

An improper input validation vulnerability in Apache Kvrocks allows attackers to crash the server by sending a negative offset value to the SETRANGE command. This affects all users running Apache Kvrocks versions through 2.11.1. The vulnerability enables denial of service attacks against the database service.

💻 Affected Systems

Products:

Apache Kvrocks

Versions: through 2.11.1

Operating Systems: All operating systems running Apache Kvrocks

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using vulnerable versions are affected as the vulnerability is in core command processing.

📦 What is this software?

Kvrocks by Apache

View all CVEs affecting Kvrocks →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of the Kvrocks database, causing application downtime and data unavailability until service is restored.

🟠

Likely Case

Intermittent service disruptions and database crashes when malicious inputs are processed, requiring manual restart of the Kvrocks service.

🟢

If Mitigated

No impact if the vulnerability is patched or if network controls prevent unauthorized access to the Kvrocks service.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers who can send malicious SETRANGE commands without authentication.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a simple malformed command, making exploitation trivial for anyone with network access to the service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12.0

Vendor Advisory: https://lists.apache.org/thread/388743qrr8yq8qm0go8tls6rf1kog8dw

Restart Required: Yes

Instructions:

1. Download Apache Kvrocks 2.12.0 from official sources. 2. Stop the running Kvrocks service. 3. Install version 2.12.0. 4. Restart the Kvrocks service. 5. Verify the version is now 2.12.0.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Kvrocks instances to only trusted sources using firewall rules.

iptables -A INPUT -p tcp --dport 6666 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 6666 -j DROP

Command Filtering

all

Use a proxy or middleware to filter out SETRANGE commands with negative offsets before they reach Kvrocks.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Kvrocks instances from untrusted networks.
Deploy intrusion detection systems to monitor for SETRANGE commands with negative offset values and alert on suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check if the Kvrocks version is 2.11.1 or earlier using the INFO command or version check. Test by sending a SETRANGE command with a negative offset and observing if the service crashes.

Check Version:

redis-cli -h localhost -p 6666 INFO | grep redis_version

Verify Fix Applied:

After upgrading to 2.12.0, send a SETRANGE command with a negative offset and verify the service rejects it with an error instead of crashing.

📡 Detection & Monitoring

Log Indicators:

Unexpected service crashes or restarts in Kvrocks logs
Error messages related to SETRANGE command processing
Segmentation fault or out of bounds errors in system logs

Network Indicators:

SETRANGE commands with negative integer values in network traffic
Unusual spike in connection attempts to Kvrocks port

SIEM Query:

source="kvrocks.log" AND ("crash" OR "segmentation fault" OR "SETRANGE" AND "offset")

📊 Metadata

CVE ID: CVE-2025-26413

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

EPSS Score: 0.38% exploit probability (59th percentile)

Published: April 22, 2025

Last Updated: June 23, 2025

🔗 References

https://lists.apache.org/thread/388743qrr8yq8qm0go8tls6rf1kog8dw Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/22/1 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26413, you might also want to check these: