RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisBloom module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This issue is fixed in version 2.8.20.
Conclusion & alert: CVE-2026-25589 is rated Moderate Risk (54.6/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.33%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-01 | 1.21% | 1.33% | +0.13% |
| 2 | 2026-06-23 | 0.58% | 1.21% | +0.62% |
| 3 | 2026-06-15 | — | 0.58% | — |
Full EPSS history (6 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.7 | 4.0 | HIGH |
|
— | — | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
suse
|
high | — | https://www.suse.com/security/cve/CVE-2026-25589/ |
ubuntu
|
medium | CVE-2026-25589 medium priority: Ubuntu including 1 source packages (redis), 9 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): needs-triage 9. | https://ubuntu.com/security/CVE-2026-25589 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| redisbloom | redisbloom | < 2.8.20 | cpe:2.3:a:redisbloom:redisbloom:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/RedisBloom/RedisBloom/releases/tag/v2.8.20 | Patch Product |
| https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-7862-34pw-44wv | Mitigation Vendor Advisory |