CVE-2024-55656

CVE-2024-55656 is an integer overflow vulnerability (CWE-190) in RedisBloom, a Redis module that provides probabilistic data structures such as Count-Min Sketch. The flaw occurs in the CMS.INITBYDIM command, which accepts user-specified width and depth values to initialize a Count-Min Sketch via the NewCMSketch() function. These values trigger an integer overflow during heap memory allocation, resulting in less memory being allocated than required due to wraparound. This affects RedisBloom versions prior to the patched releases and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated Redis client (requiring knowledge of the Redis password) can exploit this vulnerability remotely with low complexity and no user interaction. By supplying crafted width and depth parameters to CMS.INITBYDIM, the attacker causes heap memory under-allocation, enabling subsequent read and write operations beyond the allocated bounds. This leads to information leakage and out-of-bounds (OOB) writes, potentially allowing arbitrary code execution, data corruption, or denial of service.

The RedisBloom GitHub security advisory (GHSA-x5rx-rmq3-ff3h) confirms the vulnerability and states that it is fixed in versions 2.2.19, 2.4.12, 2.6.14, and 2.8.2. Security practitioners should upgrade to one of these patched versions and review access controls for Redis instances using RedisBloom, ensuring that only trusted clients have authenticated access.