Do Son 
Redis, the popular in-memory data store used for caching, message brokering, and real-time analytics, has issued a security advisory highlighting a denial-of-service (DoS) issue tracked as CVE-2025-48367 (CVSSv4 7.0). The vulnerability stems from the misuse of Redis’s multi-bulk protocol commands by authenticated users, potentially impacting availability.
The flaw was responsibly disclosed by security researcher Gabriele Digregorio and subsequently validated by Redis developers. It allows authenticated clients to exploit the command protocol to generate unexpected behavior, leading to service disruption. While the issue does not break Redis’s core security assumptions—namely, that authenticated users are trusted—it can be abused to affect server performance or cause outages.
“This issue relies on abuse or misuse of the commands network protocol built into Redis and requires the user to be successfully authenticated. As such, it does not violate the Redis Security Model… but could still be used to cause unintended or unexpected impact to availability,” the advisory explains.
Interestingly, Redis has chosen not to directly address this issue through a code fix due to the risk of degrading legitimate functionality or reducing performance.
“Our assessment is that implementing an application change to prevent this possibility would negatively impact legitimate functionality and performance of Redis,” the team stated. “As a result, we do not have a fix planned for this issue and are instead opting to publish this Security Advisory.”
Despite that, patches have been issued for four active release branches, which include general stability improvements and possibly related mitigations:
- 8.0.3 – Release notes
- 7.4.5 – Release notes
- 7.2.10 – Release notes
- 6.2.19 – Release notes
Given the nature of this issue, Redis recommends reinforcing access control and identity enforcement:
- Enforce strong authentication and avoid exposing Redis instances to untrusted networks.
- Integrate Redis access with corporate identity providers for added control.
- Review Redis security best practices to harden deployments against authenticated abuse.
Related Posts:
- Cisco Smart Install Protocol was misused, tens of thousands of critical infrastructure may be attacked
- Redis Patches for Multi Flaws, Including Potential RCE (CVE-2024-31449)
- Microsoft Warns of Sophisticated Identity Phishing Campaigns Misusing File Hosting Services
- Redis Reintroduces Open-Source AGPL Alongside SSPL Licensing
- Redis Vulnerability Exposes Servers to Denial-of-Service Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
