Hello oss-security,
This is an information-only post documenting downstream impact and
coordination status for two already-public, already-fixed Redis Lua
vulnerabilities in Apache Kvrocks.
== CVEs ==
(1) CVE-2024-31449 -- Redis Lua HEAP overflow in cjson library
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-31449
CVSS: 8.8 (HIGH)
(2) CVE-2025-49844 -- Redis Lua use-after-free in luaY_parser
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49844
Origin: Pwn2Own Berlin 2025
== Downstream impact: Apache Kvrocks ==
Apache Kvrocks (https://github.com/apache/kvrocks) is a Redis-compatible
KV store on RocksDB. It bundles Lua via the RocksLabs/lua submodule,
which contains the vulnerable code paths from PUC Lua. Specifically:
- When built with -DENABLE_LUAJIT=OFF (PUC Lua fallback path), the
Kvrocks binary contains the vulnerable luaY_parser() and the
cjson library affected by both CVEs.
- The default LuaJIT build path is NOT affected by CVE-2025-49844
(LuaJIT does not share luaY_parser code), but cjson-based issues
may still apply depending on the build.
Both downstream impacts were reported to the Kvrocks project and
acknowledged by the maintainers; fixes have been merged:
CVE-2024-31449 -> https://github.com/apache/kvrocks/issues/3433
CVE-2025-49844 -> https://github.com/apache/kvrocks/issues/3434
== Current coordination gap ==
As of 2026-04-16:
- apache/kvrocks has NO published GitHub Security Advisory.
- apache/kvrocks has Private Vulnerability Reporting DISABLED
(verified via GitHub API).
- The NVD entries for CVE-2024-31449 and CVE-2025-49844 do NOT
list apache:kvrocks in their affected-product CPE lists.
- Kvrocks release notes/changelog do not attach a security note to
the fixing commits.
Net effect: SCA tools (Trivy, Snyk, Dependabot, OSV) currently have
no way to detect vulnerable Kvrocks versions automatically.
== Coordination in progress ==
I have contacted [email protected] (Apache's official security
channel per https://kvrocks.apache.org/community/security) requesting
that the ASF / Kvrocks PMC issue formal advisories. I have also
contacted [email protected] requesting the addition of apache:kvrocks to
the affected-product CPE lists for both CVEs.
I am posting here so that distributors, packagers, and SCA-tool
maintainers have a public, independent record of the coordination
gap, and can make their own decisions about flagging Kvrocks builds
in the meantime.
== Reproducer / fix references ==
Both CVEs are public and well-documented at their NVD entries. No
new exploit information is included in this post; the contribution
here is the downstream-mapping data for Apache Kvrocks.
Regards,
Jincheng Yang
[email protected]
GitHub: jinchengyang98
(PhD student, academic security research on 1-day vulnerability
propagation across forks and downstream consumers.)
