Valkey-Bloom Remote Denial-of-Service Vulnerability via Malformed RESTORE Command

A denial-of-service vulnerability has been identified in the Valkey-Bloom module for the Valkey distributed key-value database, affecting versions through 1.0.1. The issue arises when a specially crafted 'RESTORE' command is sent, causing the Valkey server to hit an assertion and shut down. This problem occurs because Valkey modules must use the 'VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS' flag to manage errors during RDB parsing. If the flag is not set, parsing errors lead to a system assertion that crashes the server. While the Valkey-Bloom module properly handled RDB data parsing, it initially failed to activate the necessary error-handling flag. The vulnerability has been patched in version 1.0.1.

Impact

Exploitation of this vulnerability leads to a remote denial-of-service condition, causing the Valkey server to crash.

Reproduction

The vulnerability can be reproduced by sending a malformed 'RESTORE' command to a Valkey server running the affected version of the Valkey-Bloom module. This can be done using a Valkey client that supports the 'RESTORE' command. After the server receives the command, it will hit an assertion and shut down, demonstrating the denial-of-service condition.

Remediation

Users can upgrade to Valkey-Bloom version 1.0.1, which includes the necessary patch. If the update is not possible, the 'RESTORE' command can be disabled if it is not needed by the application.