CVE-2025-48367

Published Jul 7, 2025

Last updated 6 months ago

CVSS high 7.5

Overview

Description
Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
Source
security-advisories@github.com
NVD status
Analyzed
Products
redis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-770

Social media

Hype score
Not currently trending

  1. 🚨 Critical Redis patch for #openSUSE Leap 15.6! CVE-2025-32023: Remote Code Execution via HyperLogLog CVE-2025-48367: Denial-of-Service attack vector Read more: 👉https://t.co/9q90tQw0I4 #Security https://t.co/lyH2yKtqea

    @Cezar_H_Linux

    4 Sept 2025

    105 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔥 Critical #Valkey Security Update! Patch immediately if using @openSUSE Leap 15.6 or @SUSELinuxEnterprise 15 SP6. ⚠️ CVE-2025-32023 (RCE - CVSS 8.8) - HyperLogLog exploit. ⚠️ CVE-2025-48367 (DoS) - Unauthenticated starvation. Read more: 👉 https://t.co/sOKkHyOQnK ht

    @Cezar_H_Linux

    2 Aug 2025

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Warning: Two high severity vulnerabilities in @DahuaHQ smart cameras. CVE-2025-48367 and CVE-2025-32023 CVSS: 8.1. These buffer overflows can lead to a #DoS and, depending on the configuration, an #RCE! More info: https://t.co/8XN7t0oASS #Patch #Patch #Patch

    @CCBalert

    1 Aug 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 @Redisinc addresses CVE-2025-32023, CVE-2025-48367. Two HIGH severity flaws (CVSS 7.0-7.5) affecting thousands of companies worldwide. 🧵👇 https://t.co/0q4iY4Xh5B

    @gothburz

    7 Jul 2025

    190 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. CVE-2025-48367: DoS in Redis, 7.0 rating❗️ One of two recent vulnerabilities discovered in Redis. Allows an attacker to perform a DoS. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/dFnTWK9GUP #cybersecurity #vulnerability_map https://t.co/9zMhG7JTqi

    @Netlas_io

    7 Jul 2025

    65 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Redis discloses CVE-2025-48367 (CVSSv4 7.0), a DoS flaw where authenticated clients can misuse multi-bulk commands. No direct code fix is planned; reinforce access controls. #Redis #DoSAttack #Cybersecurity #Vulnerability #DataStore https://t.co/ZgUMDJBsAy

    @the_yellow_fall

    7 Jul 2025

    685 Impressions

    7 Retweets

    12 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.CVE-2025-62507
  2. Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.CVE-2025-49844
  3. Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.CVE-2025-46819
  4. Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.CVE-2025-46818
  5. Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.CVE-2025-46817

References

Sources include official advisories and independent security research.