Redis RCE Exposed: Researchers Detail Exploit for “Simple” Stack Overflow in Official Containers

Security researchers at JFrog Security Research have publicly disclosed a complete exploit chain for a high-severity vulnerability in Redis, proving that “old school” stack buffer overflows are still very much alive—and dangerous—in 2026.

The vulnerability, tracked as CVE-2025-62507 with a CVSS score of 8.8, affects Redis versions 8.2.0 through 8.2.2. While the official advisory warned of potential risks, JFrog’s team decided to push further to see if they could achieve full Remote Code Execution (RCE). Their findings were successful.

The flaw resides in the XACKDEL command, a new feature introduced to optimize stream processing. The command allows users to acknowledge and delete multiple messages in a single atomic operation. However, the implementation failed to account for a basic boundary check.

“The core issue is that the code does not verify that the number of IDs provided by the client fits within the bounds of this stack-allocated array,” reads the analysis.

When a user supplies more message IDs than the fixed-size array can hold, the function blindly writes past the end of the buffer. Because these IDs are controlled by the attacker, they can be used to overwrite critical stack memory, including the function’s return address.

Typically, modern software is hardened against this type of attack using “stack canaries”—secret values placed on the stack to detect corruption before execution is hijacked. However, during their investigation, the researchers made a shocking discovery about the official Redis Docker image.

“Surprisingly, this direct control of EIP shows that Redis is compiled without stack canary protections in the official Docker image!”

 

This omission turned a difficult exploit into a trivial one. With no canary to stop them, the researchers were able to precisely control the instruction pointer. They constructed a Return-Oriented Programming (ROP) chain to bypass NX (No-eXecute) protections, using the system’s own mprotect function to mark the stack as executable before running their own shellcode.

JFrog successfully demonstrated the attack by sending a specific sequence of commands—an XGROUP CREATE followed by an XACKDEL with 62 carefully crafted message IDs—which triggered the reverse shell.

The vulnerability is fixed in Redis version 8.3.2. However, the exposure is significant. Shodan scans reveal nearly 3,000 servers explicitly running vulnerable versions, with the majority located in Germany, the United States, and China.

Crucially, because Redis does not enforce authentication by default, this vulnerability often allows for unauthenticated remote code execution, making it a prime target for opportunistic attackers.

Related Posts:

• AI-Discovered Flaw: Redis Flaw (CVE-2025-62507) Allows Remote Code Execution via Stack Buffer Overflow
• Android Canary: Google’s New Path to Early Access Features
• How Attackers Exploit and Then Patch a Vulnerability to Hide in Linux Systems
• Android Now Runs Full Graphical Linux Apps: Google Unleashes Desktop Experience in Terminal VM