Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <69e0d549.170a0220.2844e6.1a9b@mx.google.com>
Date: Thu, 16 Apr 2026 05:25:45 -0700 (PDT)
From: yangjincheng1998@...il.com
To: oss-security@...ts.openwall.com
Subject: Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis
 Lua); fixed but no formal advisory

Hello oss-security,

This is an information-only post documenting downstream impact and
coordination status for two already-public, already-fixed Redis Lua
vulnerabilities in Apache Kvrocks.

== CVEs ==

(1) CVE-2024-31449 -- Redis Lua HEAP overflow in cjson library
    NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-31449
    CVSS: 8.8 (HIGH)

(2) CVE-2025-49844 -- Redis Lua use-after-free in luaY_parser
    NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49844
    Origin: Pwn2Own Berlin 2025

== Downstream impact: Apache Kvrocks ==

Apache Kvrocks (https://github.com/apache/kvrocks) is a Redis-compatible
KV store on RocksDB. It bundles Lua via the RocksLabs/lua submodule,
which contains the vulnerable code paths from PUC Lua. Specifically:

  - When built with -DENABLE_LUAJIT=OFF (PUC Lua fallback path), the
    Kvrocks binary contains the vulnerable luaY_parser() and the
    cjson library affected by both CVEs.
  - The default LuaJIT build path is NOT affected by CVE-2025-49844
    (LuaJIT does not share luaY_parser code), but cjson-based issues
    may still apply depending on the build.

Both downstream impacts were reported to the Kvrocks project and
acknowledged by the maintainers; fixes have been merged:

  CVE-2024-31449 -> https://github.com/apache/kvrocks/issues/3433
  CVE-2025-49844 -> https://github.com/apache/kvrocks/issues/3434

== Current coordination gap ==

As of 2026-04-16:

  - apache/kvrocks has NO published GitHub Security Advisory.
  - apache/kvrocks has Private Vulnerability Reporting DISABLED
    (verified via GitHub API).
  - The NVD entries for CVE-2024-31449 and CVE-2025-49844 do NOT
    list apache:kvrocks in their affected-product CPE lists.
  - Kvrocks release notes/changelog do not attach a security note to
    the fixing commits.

Net effect: SCA tools (Trivy, Snyk, Dependabot, OSV) currently have
no way to detect vulnerable Kvrocks versions automatically.

== Coordination in progress ==

I have contacted security@...che.org (Apache's official security
channel per https://kvrocks.apache.org/community/security) requesting
that the ASF / Kvrocks PMC issue formal advisories. I have also
contacted nvd@...t.gov requesting the addition of apache:kvrocks to
the affected-product CPE lists for both CVEs.

I am posting here so that distributors, packagers, and SCA-tool
maintainers have a public, independent record of the coordination
gap, and can make their own decisions about flagging Kvrocks builds
in the meantime.

== Reproducer / fix references ==

Both CVEs are public and well-documented at their NVD entries. No
new exploit information is included in this post; the contribution
here is the downstream-mapping data for Apache Kvrocks.

Regards,
Jincheng Yang
yangjincheng1998@...il.com
GitHub: jinchengyang98
(PhD student, academic security research on 1-day vulnerability
propagation across forks and downstream consumers.)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.