Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C. This issue affects swoole-src: before 6.0.2.
The vulnerability is an integer overflow (integer overflow or wraparound) in the code handling dynamic strings (SDS — Simple Dynamic Strings) in the hiredis module included with swoole-src. Improperly handled arithmetic operations on integer values can result in allocation of a buffer that is too small, opening the way to further memory overwrites. The attack vector is network-based, requires no authentication or user interaction.
An attacker can remotely, without authentication, cause memory corruption in the process, which may consequently enable arbitrary code execution (RCE), disclosure of sensitive data, or service unavailability. High impact on confidentiality, integrity, and availability affects both the direct component and related systems.
swoole-src should be updated to version 6.0.2 or newer. Patch details are available in the vendor reference: https://github.com/swoole/swoole-src/pull/5698
swoole-src in versions prior to 6.0.2 (thirdparty/hiredis component, sds.c file)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Red