- Description
- Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- valkey
CVSS 3.1
- Type
- Primary
- Base score
- 7.1
- Impact score
- 4.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-74
- Hype score
- Not currently trending
EasyApache 4 v25.49 is now available: • Valkey 7.2 → 7.2.12 • Fix for CVE-2026-21863 (remote DoS via malformed cluster bus message) • Fix for CVE-2025-67733 (RESP protocol injection via Lua error_reply) Full change log → https://t.co/I90mlsRNoX #EasyApache #cPanelUpd
@cPanel
13 Mar 2026
298 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
EasyApache 4 v25.49 is now available: • Valkey 7.2 → 7.2.12 • Fix for CVE-2026-21863 (remote DoS via malformed cluster bus message) • Fix for CVE-2025-67733 (RESP protocol injection via Lua error_reply) Full change log → https://t.co/I90mlsRNoX #EasyApache #cPanelUpd
@cPanel
12 Mar 2026
240 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical DoS flaws in Valkey affect Fedora 42-43. CVE-2026-21863 and CVE-2025-67733 (PoC public) fixed in recent updates. Fedora users should patch immediately. #infosec https://t.co/9mVEj7fX0a
@threatcluster
5 Mar 2026
81 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-67733 (CVSS:8.5, HIGH) is Analyzed. Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use ..https://t.co/vaBFnwMoL2 #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
28 Feb 2026
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-67733 (CVSS:8.5, HIGH) is Analyzed. Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use ..https://t.co/vaBFnwMoL2 #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
27 Feb 2026
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
`Valkey` is affected by a RESP Protocol Injection vulnerability (CVE-2025-67733) via Lua error replies. This can lead to data manipulation. Update available. #Valkey #Lua #infosec https://t.co/lkGc0EuSam
@pulsepatchio
25 Feb 2026
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-67733 Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary informa… https://t.co/4tuWIv0Old
@CVEnew
24 Feb 2026
92 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-67733 Lua Script Injection Vulnerability in Valkey Versions Prior to 9.0.2 https://t.co/LxyXq8Bf5v
@VulmonFeeds
23 Feb 2026
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-67733: HIGH] Valkey database had a cyber security vulnerability allowing users to inject info into responses, risking data integrity. Update to versions 9.0.2, 8.1.6, 8.0.7, 7.2.12 to fix it.#cve,CVE-2025-67733,#cybersecurity https://t.co/OXBuaeys4O
@CveFindCom
23 Feb 2026
45 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
**CVE-2025-67733** pertains to a security flaw in **Valkey**, a distributed key-value database system. The vulnerability arises from improper handling of scripting commands, specifically Lua scripts, within the application. Prior to the fixed versions, malicious users could
@CveTodo
23 Feb 2026
41 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🟠 CVE-2025-67733 - High Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response st... https://t.co/Txbw98CyJy https://t.co/9rzjsoxdOD
@TheHackerWire
23 Feb 2026
49 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A7DFDB2-5FDE-4F69-9B9E-7ED6D910EF76",
"versionEndExcluding": "7.2.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2375C3CF-6580-4EA0-AA6A-A92198CB7E1F",
"versionEndExcluding": "8.0.7",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03050B63-5660-4DFF-B6AC-3E701B9D199D",
"versionEndExcluding": "8.1.6",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*",
"matchCriteriaId": "315880B4-E0D2-4366-8E7B-2B97D82BA92E",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]