Critical Alert: Apache Kvrocks 'RESET' Command Flaw Grants Admin Privileges

The Apache Software Foundation has issued a critical security advisory for Apache Kvrocks, a distributed key-value NoSQL database compatible with the Redis protocol. Two significant vulnerabilities have been patched, one of which allows unauthorized users to gain full administrative control over the database.

Given Kvrocks’ role as a high-performance, disk-based alternative to Redis for storing large datasets, these flaws pose a severe risk to data integrity and confidentiality in cloud-native environments.

The most severe vulnerability, tracked as CVE-2025-59790, is rated as Critical. It involves an “Improper Privilege Management” flaw where the RESET command can be exploited to grant administrative privileges to a non-privileged user.

In affected versions (v2.9.0 through v2.13.0), an attacker with basic access could potentially execute this command to elevate their permissions, bypassing intended access controls. This could allow them to modify configurations, access sensitive data, or disrupt service operations without valid credentials.

A second vulnerability, CVE-2025-59792, is classified as Important. This flaw affects a wider range of versions (v1.0.0 through v2.13.0) and involves the MONITOR command.

The MONITOR command is designed for debugging, streaming back every command processed by the server. However, the vulnerability causes it to inadvertently reveal plaintext credentials (such as passwords) sent by other clients during authentication. A non-admin user with access to the MONITOR stream could capture these credentials, leading to unauthorized access.

The Apache Kvrocks community has released version 2.14.0 to address both issues.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply