On June 14th a comment on Github asked Basho about validation in their API

The riak http api for map reduce doesn’t check if the content-type is application/json. The javascript http api also lets the user execute arbitrary code on the server. These two coupled together allow a malicious web page to execute arbitrary code on a users machine if they are running the riak http api. I’m not sure if this is a bug or not but there should be a warning that if you are running riak http api then you should be very careful about the sites you visit.

About a week later on June 20th Basho announced a security alert

We are releasing both a security patch (for Riak versions 1.0.3 and 1.1.2) and a full 1.1.4 security release. We advise all users of Riak to either apply the appropriate patch or upgrade to 1.1.4. If you are running a version of Riak other than 1.0.3 or 1.1.2, it will be necessary to upgrade to 1.1.4.

[…]

Additional information about the exploit will be released in the next few weeks.