AI-Discovered Flaw: Redis Flaw (CVE-2025-62507) Allows Remote Code Execution via Stack Buffer Overflow

Redis, the world’s leading in-memory data platform, has issued an urgent patch addressing a high-severity vulnerability (CVE-2025-62507, CVSSv4 7.7) that could allow remote code execution (RCE) under specific conditions. The flaw affects Redis 8.2 and later, with the company confirming that version 8.2.3 contains the fix.

According to Redis’ advisory, the vulnerability stems from a stack buffer overflow triggered by improper input handling in the XACKDEL command — a feature used in stream message acknowledgment and deletion.

“A user can run the XACKDEL command with multiple ID’s and trigger a stack buffer overflow, which may potentially lead to remote code execution,” the advisory states.

Redis identified that the flaw occurs when the XACKDEL implementation fails to properly reallocate memory for a large number of stream IDs.

“The code doesn’t handle the case where the number of ID’s exceeds the STREAMID_STATIC_VECTOR_LEN, and skips a reallocation, which leads to a stack buffer overflow,” the advisory explains.

In practice, an attacker with access to the Redis CLI or API could exploit this bug by passing an excessively large list of IDs to XACKDEL, overwriting portions of the stack memory and potentially achieving arbitrary code execution in the context of the Redis process.

Redis recommends that all users upgrade to version 8.2.3 immediately. For those unable to patch right away, there is a temporary mitigation using Redis’ Access Control Lists (ACLs).

“An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command,” Redis advises.

Interestingly, Redis credits the discovery of CVE-2025-62507 to Google Big Sleep, an AI security agent jointly developed by Google DeepMind and Project Zero.

Google Big Sleep is an AI agent developed by Google DeepMind and Project Zero that acts as an automated security researcher to find and report unknown security vulnerabilities in software.

Related Posts:

• First Ever: Android Baohuo Backdoor Hides in Telegram X Clone, Uses Redis Database for C2 Commands
• Google’s Big Sleep AI Foils Live Zero-Day Exploit in SQLite (CVE-2025-6965)
• Redis DoS Flaw (CVE-2025-48367): Authenticated Clients Can Disrupt Service
• Warning: “Sleeper Agent” Chrome Extensions Infect 1.5 Million Users!