CVE-2024-55656
Published: 08 January 2025
Summary
CVE-2024-55656 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the integer overflow flaw in RedisBloom's CMS.INITBYDIM command, directly eliminating the vulnerability as fixed in versions 2.2.19, 2.4.12, 2.6.14, and 2.8.2.
Validates user-supplied width and depth parameters to CMS.INITBYDIM, preventing integer overflow during heap memory allocation in NewCMSketch().
Implements memory safeguards like address space layout randomization and heap protections to mitigate exploitation of under-allocated heap memory leading to info leaks and OOB writes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow enables remote exploitation of RedisBloom (public-facing Redis module) via CMS.INITBYDIM for memory corruption and RCE.
NVD Description
RedisBloom adds a set of probabilistic data structures to Redis. There is an integer overflow vulnerability in RedisBloom, which is a module used in Redis. The integer overflow vulnerability allows an attacker (a redis client which knows the password) to…
more
allocate memory in the heap lesser than the required memory due to wraparound. Then read and write can be performed beyond this allocated memory, leading to info leak and OOB write. The integer overflow is in CMS.INITBYDIM command, which initialize a Count-Min Sketch to dimensions specified by user. It accepts two values (width and depth) and uses them to allocate memory in NewCMSketch(). This vulnerability is fixed in 2.2.19, 2.4.12, 2.6.14, and 2.8.2.
Deeper analysisAI
CVE-2024-55656 is an integer overflow vulnerability (CWE-190) in RedisBloom, a Redis module that provides probabilistic data structures such as Count-Min Sketch. The flaw occurs in the CMS.INITBYDIM command, which accepts user-specified width and depth values to initialize a Count-Min Sketch via the NewCMSketch() function. These values trigger an integer overflow during heap memory allocation, resulting in less memory being allocated than required due to wraparound. This affects RedisBloom versions prior to the patched releases and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated Redis client (requiring knowledge of the Redis password) can exploit this vulnerability remotely with low complexity and no user interaction. By supplying crafted width and depth parameters to CMS.INITBYDIM, the attacker causes heap memory under-allocation, enabling subsequent read and write operations beyond the allocated bounds. This leads to information leakage and out-of-bounds (OOB) writes, potentially allowing arbitrary code execution, data corruption, or denial of service.
The RedisBloom GitHub security advisory (GHSA-x5rx-rmq3-ff3h) confirms the vulnerability and states that it is fixed in versions 2.2.19, 2.4.12, 2.6.14, and 2.8.2. Security practitioners should upgrade to one of these patched versions and review access controls for Redis instances using RedisBloom, ensuring that only trusted clients have authenticated access.
Details
- CWE(s)