Database Redis: Vulnerability allows execution of malicious code

The developers of the in-memory database Redis have closed a security vulnerability that allows attackers to execute arbitrary malicious code.

In the GitHub repository of Redis finds a vulnerability entry, which discusses the security vulnerability. According to the entry, users can call the XACKDEL command with multiple IDs, thereby triggering a stack-based buffer overflow. This, in turn, can lead to the execution of previously injected code (CVE-2025-62507, CVSS between 7.7 and 9.8, risk “high” to “critical”). The problem lies in the fact that the Redis code does not catch the case where the number of IDs exceeds STREAMID_STATIC_VECTOR_LEN. This causes it to skip a reallocation, which ultimately leads to the stack-based buffer overflow.

Redis Vulnerability: Unclear Risk Classification

The Redis developers calculate a CVSS4 score of 7.7, which corresponds to a high risk. The SUSE maintainers, on the other hand, rate it at CVSS4 9.3 and CVSS3.1 9.8, respectively, both corresponding to the risk level “critical”.

The issue occurs from Redis 8.2 onwards. However, version 8.2.3 and newer no longer contain the error. Admins using Redis should update to this or newer versions of the database. Those who cannot perform the update yet should initiate temporary countermeasures. The Redis programmers explain that users can be excluded from executing the vulnerable XACKDEL command. To achieve this, access to the command can be restricted using ACL (Access Control List).

About four weeks ago, the programmers already closed a security vulnerability in Redis classified as critical risk security vulnerability closed in Redis. With carefully crafted LUA scripts, it was possible to provoke a use-after-free situation and execute injected program code. Redis version 8.2.2 has corrected this.

(dmk)