A high-severity denial-of-service (DoS) vulnerability in Redis, tracked as CVE-2025-21605, permits unauthenticated attackers to crash servers or exhaust system reminiscence by exploiting improperly restricted output buffers.
The flaw impacts Redis variations 2.6 and newer, with patches now obtainable in updates 6.2.18, 7.2.8, and 7.4.3.
How the Exploit Works
The vulnerability stems from Redis’s default configuration, which imposes no limits on consumer output buffers.
Attackers can ship repeated unauthenticated requests, forcing these buffers to develop uncontrollably.
Even servers with password authentication enabled stay weak if purchasers don’t present credentials, because the Redis server continues sending “NOAUTH” error responses that devour reminiscence.
Key Dangers:
- Reminiscence exhaustion: Servers could crash or change into unresponsive.
- Zero authentication required: Attackers want no credentials.
- Community-accessible exploitation: Targets uncovered to the web are at fast danger.
| Class | Particulars |
| Vulnerability Title | Redis DoS Flaw – Limitless Development of Output Buffers |
| CVE ID | CVE-2025-21605 |
| Affected Package deal | redis-server |
| Affected Variations | 2.6 and above |
| Patched Variations | 6.2.18, 7.2.8, 7.4.3 |
| Authentication Required | No (Unauthenticated assault) |
| Description | An unauthenticated consumer may cause limitless output buffer development, exhausting server reminiscence. |
| Affect | Server crash, reminiscence exhaustion, denial of service |
| Severity | Excessive (CVSS 8.6/10) |
Mitigation and Patches
Redis maintainers have launched emergency fixes to implement output buffer limits. Customers should improve to Redis 6.2.18, 7.2.8, or 7.4.3 instantly. For organizations unable to patch promptly, two workarounds are advisable:
- Community entry controls: Use firewalls or safety teams to dam unauthorized entry.
- TLS with consumer certificates: Require encrypted connections and consumer authentication.
With a CVSS rating of 8.6 (Excessive), this flaw poses a major menace to the 300,000+ Redis cases estimated to be publicly uncovered on-line.
Cloud infrastructure and in-memory databases are significantly weak as a result of Redis’s widespread use for caching, session administration, and real-time analytics.
Yaacov Hazan, a Redis maintainer, emphasised the urgency: “This vulnerability permits trivial exploitation with catastrophic outcomes.
Organizations should prioritize patching or danger extreme service disruptions.” Safety researcher Polaris-alioth, who found the flaw, famous, “The default configuration’s lack of buffer limits creates a low-effort assault vector for adversaries.”
Current Redis updates additionally handle:
- Race situations between principal and module threads (#12817, #12905).
- Reminiscence leaks in FUNCTION FLUSH instructions (#13661).
- Untimely WAITAOF returns and SLAVEOF crashes (#13793, #13853).
Redis has not but disclosed when older variations (pre-6.2) will obtain backported fixes. Till then, unpatched customers should depend on community segmentation or TLS enforcement to mitigate dangers.
This vulnerability highlights the hazards of default configurations in crucial infrastructure software program.
As Redis powers all the pieces from social media platforms to monetary techniques, proactive patching isn’t simply advisable—it’s important to forestall large-scale outages.
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, & X to Get Immediate Updates!
