Redis up to 7.4.2 allocation of resources

Summaryinfo

A vulnerability was found in Redis up to 7.4.2. It has been classified as critical. Impacted is an unknown function. Performing a manipulation results in allocation of resources. This vulnerability was named CVE-2025-21605. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability, which was classified as critical, was found in Redis up to 7.4.2. This affects an unknown code block. The manipulation with an unknown input leads to a allocation of resources vulnerability. CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. This is going to have an impact on availability. The summary by CVE is:

Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.

It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2025-21605 since 12/29/2024. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 234981 (Amazon Linux 2 : redis (ALASREDIS6-2025-012)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 7.4.3 eliminates this vulnerability. The upgrade is hosted for download at github.com.

The vulnerability is also documented in the databases at Tenable (234981) and CERT Bund (WID-SEC-2025-0877). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Fedora Linux
• SUSE Linux
• Oracle Linux
• Gentoo Linux
• SUSE openSUSE
• Open Source Redis

Productinfo

Name

• Redis

Version

• 7.4.0
• 7.4.1
• 7.4.2

License

• open-source

Website

• Product: https://github.com/redis/redis/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion