CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-48367 – Redis DoS Vulnerability due to bad connection error handling
https://notcve.org/view.php?id=CVE-2025-48367
07 Jul 2025 — Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. • https://github.com/redis/redis/commit/bde62951accfc4bb0a516276fd0b4b307e140ce2 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 1CVE-2025-32023 – Redis allows out of bounds writes in hyperloglog commands leading to RCE
https://notcve.org/view.php?id=CVE-2025-32023
07 Jul 2025 — Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the ... • https://github.com/leesh3288/CVE-2025-32023 • CWE-680: Integer Overflow to Buffer Overflow •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27151 – redis-check-aof may lead to stack overflow and potential RCE
https://notcve.org/view.php?id=CVE-2025-27151
29 May 2025 — Redis is an open source, in-memory database that persists on disk. In versions starting from 7.0.0 to before 8.0.2, a stack-based buffer overflow exists in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and potentially achieve code execution. This issue has been patched in version 8.0.2. This update for valkey fixes the following issues. • https://github.com/redis/redis/security/advisories/GHSA-5453-q98w-cmvm • CWE-20: Improper Input Validation CWE-121: Stack-based Buffer Overflow •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21605 – Redis DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client
https://notcve.org/view.php?id=CVE-2025-21605
23 Apr 2025 — Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. • https://github.com/redis/redis/releases/tag/7.4.3 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 3.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29923 – go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment
https://notcve.org/view.php?id=CVE-2025-29923
28 Feb 2025 — go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the life... • https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6 • CWE-20: Improper Input Validation •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-51741 – Redis allows denial-of-service due to malformed ACL selectors
https://notcve.org/view.php?id=CVE-2024-51741
06 Jan 2025 — Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2. Redis es una base de datos en memoria de código abierto que persiste en el disco. Un usuario autenticado con privilegios suficientes puede crear un selector de ACL mal formado que, cuando se accede a él, desencadena un pánico del servidor... • https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9 • CWE-20: Improper Input Validation •
CVSS: 7.2EPSS: 73%CPEs: 3EXPL: 2CVE-2024-46981 – Redis' Lua library commands may lead to remote code execution
https://notcve.org/view.php?id=CVE-2024-46981
06 Jan 2025 — Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. • https://github.com/publicqi/CVE-2024-46981 • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31227 – Denial-of-service due to malformed ACL selectors in Redis
https://notcve.org/view.php?id=CVE-2024-31227
07 Oct 2024 — Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31228 – Denial-of-service due to unbounded pattern matching in Redis
https://notcve.org/view.php?id=CVE-2024-31228
07 Oct 2024 — Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. • https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0 • CWE-674: Uncontrolled Recursion •
CVSS: 9.0EPSS: 1%CPEs: 3EXPL: 1CVE-2024-31449 – Lua library commands may lead to stack overflow and RCE in Redis
https://notcve.org/view.php?id=CVE-2024-31449
07 Oct 2024 — Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. • https://github.com/daeseong1209/CVE-2024-31449 • CWE-20: Improper Input Validation CWE-121: Stack-based Buffer Overflow •