PT-2025-28183 · Redis+11 · Redis+11
Leesh3288
·
Published
2025-07-06
·
Updated
2026-03-24
·
CVE-2025-32023
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Redis versions 2.8 through 8.0.3, 7.4.5, 7.2.10, and 6.2.19. Valkey versions up to 8.1.3 and 8.0.4 are also affected.
Description:
Redis and Valkey are vulnerable to a heap-based buffer overflow in the HyperLogLog functionality. An authenticated attacker can exploit this vulnerability by sending a specially crafted string, potentially leading to remote code execution (RCE). The root cause is an integer overflow in the
hllMerge() function when processing sparse HyperLogLog data, leading to an out-of-bounds write. A Proof-of-Concept (PoC) exploit is available. The vulnerability affects versions 2.8 and later of Redis, up to and including 8.0.3, 7.4.5, 7.2.10, and 6.2.19. Valkey versions up to 8.1.3 and 8.0.4 are also impacted.Recommendations:
- Upgrade Redis to version 8.0.3 or later, 7.4.5 or later, 7.2.10 or later, or 6.2.19 or later.
- Upgrade Valkey to version 8.1.3 or 8.0.4 or later.
- As a temporary mitigation, restrict access to HyperLogLog commands using ACLs:
ACL SETUSER username -pfadd -pfcount -pfmerge. - Monitor for anomalous HyperLogLog operations, unexpected crashes, and unusual network traffic.
- Limit network access to Redis and Valkey instances to trusted sources and implement robust authentication mechanisms.
Exploit
Fix
RCE
DoS
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Redis
Rocky Linux
Suse
Ubuntu