Multiple vulnerabilities in Redis

1) Resource management error

EUVDB-ID: #VU112337

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-48367

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling connection errors. A remote non-authenticated attacker can cause repeated IP protocol errors leading to client starvation and a denial of service condition.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Redis: 6.0.0 - 8.0.2

CPE2.3

• cpe:2.3:a:redis_labs:redis:6.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.2:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.3:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.4:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.5:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.6:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.7:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.9:*:*:*:*:*:*:*

External links

https://github.com/redis/redis/security/advisories/GHSA-4q32-c38c-pwgq
https://github.com/redis/redis/releases/tag/6.2.19
https://github.com/redis/redis/releases/tag/7.2.10
https://github.com/redis/redis/releases/tag/7.4.5
https://github.com/redis/redis/releases/tag/8.0.3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

EUVDB-ID: #VU112336

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-32023

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a boundary error on hyperloglog operations. A remote user can trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Redis: 6.0.0 - 8.0.2

CPE2.3

• cpe:2.3:a:redis_labs:redis:6.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.2:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.3:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.4:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.5:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.6:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.7:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.9:*:*:*:*:*:*:*
• cpe:2.3:a:redis_labs:redis:6.0.10:*:*:*:*:*:*:*

External links

https://github.com/redis/redis/security/advisories/GHSA-rp2m-q4j6-gr43
https://github.com/redis/redis/releases/tag/6.2.19
https://github.com/redis/redis/releases/tag/7.2.10
https://github.com/redis/redis/releases/tag/7.4.5
https://github.com/redis/redis/releases/tag/8.0.3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.