RediSearch Integer Overflow Vulnerability in LIMIT and KNN Arguments Leading to Remote Code Execution

A vulnerability exists in RediSearch, a Redis module for querying and full-text search, allowing an authenticated user to execute FT.SEARCH or FT.AGGREGATE commands with specially crafted LIMIT or KNN arguments. This can trigger an integer overflow, causing a heap overflow and potentially leading to remote code execution. The vulnerability affects all RediSearch versions greater than 2.0.0 and has been patched in versions 2.6.24, 2.8.21, and 2.10.10.

Impact

Exploitation of this vulnerability can result in a heap overflow, allowing for remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated Redis user can use the FT.SEARCH or FT.AGGREGATE commands with large LIMIT arguments that exceed the maximum allowed values. For FT.SEARCH, KNN arguments with large K values can also trigger the vulnerability.

Remediation

Users can upgrade to RediSearch versions 2.6.24, 2.8.21, or 2.10.10 to address this vulnerability. Additionally, avoid setting large values or -1 for the MAXSEARCHRESULTS and MAXAGGREGATERESULTS configuration parameters.