Valkey
CVE-2025-67733
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Network-reachable and low-complexity but requires a scripting-capable authenticated account (PR:L); impact is data tampering across a shared connection (I:L) with no confidentiality loss and at most minor availability disruption, so A:L not A:H.
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
9DescriptionNVD
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
AnalysisAI
Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle arbitrary bytes into the reply stream, corrupting or tampering with data returned to other users sharing the same connection. The flaw stems from the Lua script error-handling path mishandling null characters. It affects all releases prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. No public exploit identified at time of analysis; EPSS exploitation probability is negligible (0.02%, 4th percentile) and the issue is not in CISA KEV.
Technical ContextAI
Valkey is an open-source, high-performance distributed in-memory key-value datastore (a community fork of Redis) maintained under the Linux Foundation (CPE vendor 'lfprojects'). It embeds a Lua interpreter exposed through scripting commands such as EVAL/EVALSHA, allowing server-side script execution. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output - Injection): the error-handling code for Lua scripts fails to neutralize embedded null (\0) characters before writing error/result content back into the RESP (Redis Serialization Protocol) reply buffer. Because Valkey multiplexes responses on a single client connection, malformed length/delimiter framing introduced by an unescaped null lets script output bleed into or desynchronize replies destined for other consumers on that connection.
RemediationAI
Vendor-released patch: upgrade Valkey to 9.0.2, 8.1.6, 8.0.7, or 7.2.12 (pick the fixed release matching your branch). For OS-packaged installs, apply your distribution's update: Ubuntu USN-8106-1 (https://ubuntu.com/security/notices/USN-8106-1), Red Hat RHSA-2026:3443 / RHSA-2026:5445 / RHSA-2026:3507 (https://access.redhat.com/errata/RHSA-2026:3443), or SUSE SUSE-SU-2026:0685 / SUSE-SU-2026:0848 (https://www.suse.com/support/update/SUSE-SU-2026:0685/); refer to the upstream advisory GHSA-p876-p7q5-hv2m for details. If you cannot patch immediately, the most effective compensating control is to restrict who can run scripting commands: use Valkey ACLs to deny EVAL/EVALSHA/FUNCTION (e.g., '-eval -evalsha -script -function' or category '-@scripting') to untrusted accounts, accepting that any application logic relying on server-side Lua will break. Avoid sharing a single authenticated connection across mutually distrusting tenants, since the bug corrupts replies among consumers on the same connection. Continue enforcing 'requirepass'/ACL authentication and network-level access restriction (bind to trusted interfaces, firewall the Valkey port) to keep scripting privileges out of untrusted hands.
Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.5), this vulnerability is
Denial of service in Valkey 9.0.0 through 9.0.2 allows unauthenticated network attackers to crash the server by exploiti
Out-of-bounds read in Valkey clusterbus port processing allows network-adjacent attackers to crash affected systems by s
Vendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| private-registry/harbor-valkey suse/valkey | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today