Main Vulnerability Database Vulnerabilities #VU128026

Improper Neutralization in Valkey - CVE-2025-67733

Published: April 27, 2026

Vulnerability identifier: #VU128026

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-67733

CWE-ID: CWE-707

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Valkey

Affected software:
Valkey

Detailed vulnerability description

The vulnerability allows a remote user to corrupt response data for other users on the same connection.

The vulnerability exists due to improper handling of null characters in lua script error handling code when processing scripting command error replies. A remote user can use scripting commands to inject arbitrary information into the response stream to corrupt response data for other users on the same connection.

The issue can affect other users sharing the same connection.

How to mitigate CVE-2025-67733

Install security update from vendor's website.

Sources

https://github.com/valkey-io/valkey/security/advisories/GHSA-p876-p7q5-hv2m

Improper Neutralization in Valkey - CVE-2025-67733

Detailed vulnerability description

How to mitigate CVE-2025-67733

Sources

Please verify you're human