CVE-2026-25588
Memory Corruption in RedisTimeSeries Module
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redistimeseries | redistimeseries | to 1.12.14 (exc) |
| redis | redistimeseries | to 1.12.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25588 is a high-severity vulnerability in the RedisTimeSeries module for Redis. It arises because the module does not properly validate serialized values processed through the RESTORE command. An authenticated attacker with permission to execute RESTORE can supply a specially crafted serialized payload that triggers invalid memory access, specifically a heap-based buffer overflow. This flaw can lead to remote code execution, allowing the attacker to run arbitrary code within the Redis server context.
How can this vulnerability impact me? :
Exploitation of this vulnerability can have serious impacts including compromise of the affected system. An attacker could execute arbitrary code remotely, potentially leading to unauthorized access, data exfiltration, disruption of services, or complete system takeover. The vulnerability affects confidentiality, integrity, and availability of the Redis server running the vulnerable RedisTimeSeries module.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if the RedisTimeSeries module is loaded on your Redis server and if the RESTORE command is accessible to authenticated users.
You can check if the RedisTimeSeries module is loaded by running the following Redis command:
- MODULE LIST
To check if the RESTORE command is accessible, you can review the ACL rules with:
- ACL LIST
Additionally, monitoring logs for unusual or unauthorized RESTORE command usage may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves restricting access to the RESTORE command using Redis ACL rules to prevent unauthorized or untrusted users from executing it.
Applying the security patch by upgrading RedisTimeSeries to version 1.12.14 or later is the recommended permanent fix.
If you are using Redis 8 or later, consider using the integrated time series data structure instead of the standalone RedisTimeSeries module.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in RedisTimeSeries allows an authenticated attacker to execute arbitrary code on the Redis server, potentially compromising the confidentiality, integrity, and availability of the system.
Such a compromise could lead to unauthorized access to sensitive data, data exfiltration, or disruption of services, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.
Mitigating this vulnerability by restricting access to the RESTORE command with ACL rules or applying the patch in version 1.12.14 is important to maintain compliance and reduce risk.