CVE-2025-21605

Name of the Vulnerable Software and Affected Versions Redis versions 2.6 through 7.4.2

Description Redis is an open source, in-memory database that persists on disk. An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients. The output buffer can grow unlimitedly over time, exhausting the service and making memory unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory.

Recommendations For versions 2.6 through 7.4.2, update to version 7.4.3 to resolve the issue. As a temporary workaround, consider blocking access to prevent unauthenticated users from connecting to Redis by using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.