AVID-2026-R1440

Description

RedisBloom heap buffer overflow in CF.LOADCHUNK command (CVE-2024-25115)

Details

RedisBloom adds a set of probabilistic data structures to Redis. Starting in version 2.0.0 and prior to version 2.4.7 and 2.6.10, specially crafted CF.LOADCHUNK commands may be used by authenticated users to perform heap overflow, which may lead to remote code execution. The problem is fixed in RedisBloom 2.4.7 and 2.6.10.

Reason for inclusion in AVID: CVE-2024-25115 describes a heap-based buffer overflow in RedisBloom (a Redis module) that could allow authenticated users to achieve remote code execution. RedisBloom is a software component used to provide probabilistic data structures within Redis, and Redis-based deployments are commonly part of AI/ML data processing, feature pipelines, caching, and model serving stacks. Thus, this vulnerability is in a software component that can be part of the supply chain for general-purpose AI systems. The issue is a security vulnerability (RCE risk) with clear evidence and fixes in newer versions, and the report includes explicit CVE details and references.

References

• NVD entry
• https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-w583-p2wh-4vj5
• https://github.com/RedisBloom/RedisBloom/commit/2f3b38394515fc6c9b130679bcd2435a796a49ad

Affected or Relevant Artifacts

• Developer: RedisBloom
• Deployer: RedisBloom
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-04-09
• Version: 0.3.3
• AVID Entry