CVE-2026-25588 Overview
CVE-2026-25588 is a heap-based memory corruption vulnerability [CWE-122] affecting RedisTimeSeries, the time-series module for Redis. The flaw exists in all versions before 1.12.14 and stems from improper validation of serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload. The payload triggers invalid memory access and may lead to remote code execution within the Redis server process.
Critical Impact
Authenticated attackers can achieve remote code execution on Redis servers running RedisTimeSeries by submitting a malicious serialized payload through the RESTORE command, compromising data confidentiality, integrity, and availability.
Affected Products
- RedisTimeSeries module versions prior to 1.12.14
- Redis deployments with the RedisTimeSeries module loaded
- Any service exposing the RESTORE command to authenticated users on affected installations
Discovery Timeline
- 2026-05-05 - CVE-2026-25588 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-25588
Vulnerability Analysis
The vulnerability resides in how RedisTimeSeries handles serialized data restored through the Redis RESTORE command. Redis modules can register custom data types that implement serialization and deserialization callbacks. When a client invokes RESTORE, Redis dispatches the serialized blob to the appropriate module callback for reconstruction. RedisTimeSeries does not properly validate the structure or bounds of fields within the serialized payload before allocating and writing to heap memory.
An attacker authenticated to the Redis instance can craft a payload that causes the deserialization routine to perform invalid memory access. This produces a heap-based corruption condition consistent with [CWE-122]. Depending on heap layout and allocator behavior, the corruption can be steered toward arbitrary write primitives and ultimately remote code execution in the Redis server process.
Root Cause
The root cause is missing input validation in the RedisTimeSeries module's RESTORE deserialization path. Length fields, type tags, and structural offsets in the serialized blob are trusted without bounds checking. Crafted values cause the module to read or write past allocated buffers on the heap.
Attack Vector
Exploitation requires network access to the Redis instance and authentication credentials with permission to issue the RESTORE command. No user interaction is required. Attack complexity is elevated because the attacker must shape heap state and produce a payload tailored to module internals to reliably achieve code execution rather than a crash. Refer to the GitHub Security Advisory GHSA-7jwr-g5qv-w3gw for vendor technical details.
Detection Methods for CVE-2026-25588
Indicators of Compromise
- Unexpected RESTORE commands targeting time-series keys (TSDB-TYPE) from non-administrative clients in Redis logs or MONITOR output.
- Redis server crashes, segmentation faults, or abnormal restarts coinciding with module activity in RedisTimeSeries deployments.
- Outbound network connections or child process creation originating from the redis-server process, which should not occur in normal operation.
Detection Strategies
- Audit Redis command logs for clients invoking RESTORE who do not have a documented operational reason to perform key serialization.
- Inspect loaded modules with MODULE LIST and confirm the RedisTimeSeries version against the patched release 1.12.14.
- Correlate Redis process anomalies (crash dumps, OOM events, unexpected execve) with preceding RESTORE activity in centralized logging.
Monitoring Recommendations
- Forward Redis ACL events, RESTORE invocations, and module load events to a central SIEM or data lake for behavioral analysis.
- Alert on any redis-server process spawning shells, interpreters, or making outbound connections to unfamiliar destinations.
- Track RedisTimeSeries module version inventory across hosts and flag instances running versions below 1.12.14.
How to Mitigate CVE-2026-25588
Immediate Actions Required
- Upgrade RedisTimeSeries to version 1.12.14 or later on every Redis instance where the module is loaded.
- Audit Redis ACL configurations and remove RESTORE permission from any user that does not require it for replication or backup operations.
- Restrict network exposure of Redis instances to trusted application subnets and require strong authentication for all clients.
Patch Information
The vendor has released RedisTimeSeries v1.12.14, which fixes the validation gap in the RESTORE deserialization path. Production deployments should plan a coordinated module upgrade and Redis restart. Details are documented in GitHub Security Advisory GHSA-7jwr-g5qv-w3gw.
Workarounds
- Use Redis ACLs to deny the RESTORE command for all non-administrative users until the module is patched.
- Renaming or disabling the RESTORE command via Redis configuration directives provides defense in depth where ACLs cannot be applied.
- Place Redis instances behind a network policy that limits client access to a known set of application hosts.
# Configuration example: restrict RESTORE via Redis ACL
# Remove RESTORE from the default user and create a least-privilege app user
ACL SETUSER default -restore
ACL SETUSER appuser on >STRONG_PASSWORD ~* +@read +@write -@dangerous -restore
ACL SAVE
# Verify RedisTimeSeries module version after upgrade
MODULE LIST
# Expect: name "timeseries" ver >= 11214 (1.12.14)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
