GHSA-5w7q-2f7j-rqmm
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green
Network-accessible service, low complexity once authenticated; PR:L because EVAL requires a valid user account; S:C because sandbox escape grants host-level impact beyond the database process.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green
Lifecycle Timeline
2Description PRE-NVD
Articles & Coverage 1
AnalysisAI
Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the loadstring function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) network connectivity to the Kvrocks service port; (2) a valid user account with permission to execute the EVAL command - this is an authenticated, low-privilege condition, not unauthenticated; (3) no special non-default configuration is required beyond having EVAL access, which is typically granted by default to authenticated users in Redis-compatible systems. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS vector has been published; the following risk picture is inferred from the vulnerability class and description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Kvrocks user with EVAL command access sends a crafted Lua script containing a `loadstring`-based payload - for example, `EVAL "return loadstring('os = require(\'os\'); return os.execute(\'id\')')()" 0` - to the server. Because `loadstring` is not removed from the sandbox, the script compiles and executes the inner chunk within the server process, bypassing the scripting restrictions and potentially running OS-level commands or accessing arbitrary data. … |
| Remediation | The primary remediation is to upgrade to the patched version of Apache Kvrocks once it is released by the Apache Software Foundation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Apache Kvrocks deployments to identify instances with EVAL command enabled and document which user accounts hold EVAL privileges. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39333