AI description
CVE-2025-32023 is a vulnerability affecting Redis, an open-source, in-memory database. It stems from a stack/heap out-of-bounds write within hyperloglog operations. An authenticated user can exploit this vulnerability by using a specially crafted string, potentially leading to remote code execution. The vulnerability affects Redis versions from 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19. The issue is addressed in versions 8.0.3, 7.4.5, 7.2.10, and 6.2.19. As a workaround, users can restrict the execution of hyperloglog operations using ACL to mitigate the risk without patching.
- Description
- Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 7
- Impact score
- 5.9
- Exploitability score
- 1
- Vector string
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-680
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
21
🚨 @Redisinc addresses CVE-2025-32023, CVE-2025-48367. Two HIGH severity flaws (CVSS 7.0-7.5) affecting thousands of companies worldwide. 🧵👇 https://t.co/0q4iY4Xh5B
@gothburz
7 Jul 2025
180 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
(CVE-2025-32023)[redis]Stack/heap OOBW in hyperloglog commands -> RCE https://t.co/bOPRCbqgoF Zerodeo: https://t.co/kGsfQj8tue PoC & Exploit: https://t.co/r1BU7GZc1X Reported by Seunghyun Lee (@0x10n), as part of PlaidCTF 2025
@xvonfers
7 Jul 2025
2889 Impressions
17 Retweets
49 Likes
25 Bookmarks
0 Replies
0 Quotes
CVE-2025-32023 Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially craf… https://t.co/6GsbnvQ47e
@CVEnew
7 Jul 2025
437 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【CTFerの倫理】Redisに遠隔コード実行の脆弱性。CVE-2025-32023はCVSSスコア7.0の境界外書き込み。PoCあり。リアルゼロデイとしてカーネギーメロン大PPPによるPlaidCTF 2025でクソ問出題されたもの。 https://t.co/KmFVqPqYmb h
@__kokumoto
7 Jul 2025
5215 Impressions
13 Retweets
72 Likes
28 Bookmarks
1 Reply
1 Quote