Redis Vulnerability Exposes Servers to Denial-of-Service Attacks

A high-severity vulnerability has been discovered in Redis, the popular open-source in-memory data structure store, which could allow unauthenticated users to exhaust server memory and cause a Denial-of-Service (DoS) condition. Tracked as CVE-2025-21605, the flaw affects all Redis versions from 2.6 onward, and has received a CVSS score of 7.5.

According to Redis maintainers: “An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed.”

This issue arises due to Redis’s default configuration, which does not impose a limit on the output buffers for normal clients (client-output-buffer-limit). Without these limits, the output buffer can grow indefinitely, resulting in memory exhaustion over time.

What makes CVE-2025-21605 particularly concerning is that the attack can be executed without authentication. Even when password authentication is enabled, the vulnerability persists:

“When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from ‘NOAUTH’ responses until the system will run out of memory.”

In essence, a rogue client could simply flood the server with unauthorized requests, triggering a continuous stream of NOAUTH responses that accumulate in the output buffer and overwhelm the system.

Redis versions starting from 2.6 are impacted by this vulnerability. The issue has been patched in the following versions:

• 6.2.18
• 7.2.8
• 7.4.3

Administrators who are unable to upgrade immediately can take alternative actions to reduce risk:

“An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis.”

Recommended mitigations include:

• Implementing network access controls such as firewalls, iptables, or cloud security groups.
• Enabling TLS and requiring client-side certificate authentication.

Related Posts:

• Redis Servers Exploited to Deploy Metasploit Meterpreter Backdoor
• Redis Patches for Multi Flaws, Including Potential RCE (CVE-2024-31449)
• Linux Kernel Vulnerability Exposes Local Systems to Privilege Escalation, PoC Published
• Redis Remote Code Execution Vulnerability
• Redis flaw could lead to execute arbitrary code attacks