CVE-2025-29923

Name of the Vulnerable Software and Affected Versions go-redis versions prior to 9.5.5 go-redis versions prior to 9.6.3 go-redis versions prior to 9.7.3

Description The issue occurs when CLIENT SETINFO times out during connection establishment, potentially causing out-of-order responses. This can happen due to network connectivity issues, aggressive timeouts, or when the client is configured to transmit its identity. The problem affects multiple use cases, including sticky connections, where persistent out-of-order responses are received for the lifetime of the connection, and all commands in the pipeline receive incorrect responses. When used with the default ConnPool, at most one out-of-order response is received before the connection is discarded.

Recommendations For versions prior to 9.5.5, update to version 9.5.5 or later. For versions prior to 9.6.3, update to version 9.6.3 or later. For versions prior to 9.7.3, update to version 9.7.3 or later. As a temporary workaround, consider setting the DisableIdentity flag to true when constructing the client instance to prevent the vulnerability.