Redis · Redistimeseries · CVE-2026-25588
**Name of the Vulnerable Software and Affected Versions**
RedisTimeSeries versions prior to 1.12.14
**Description**
RedisTimeSeries, a time-series module for Redis, fails to properly validate serialized values processed through the 'RESTORE' command. An authenticated attacker with permissions to execute this command can provide a specially crafted serialized payload that triggers invalid memory access, specifically a heap buffer overflow. This may lead to remote code execution or a denial of service.
**Recommendations**
Update to version 1.12.14.
Restrict access to the 'RESTORE' command using ACL rules as a temporary workaround.