How to fix CVE-2025-67733?

Within 24 hours: Inventory all Valkey deployments and assess network exposure; isolate any internet-facing instances or restrict access to trusted networks only. Within 7 days: Implement network segmentation and access controls; disable unnecessary Valkey features if possible; enable enhanced monitoring and logging for suspicious activity. Within 30 days: Establish timeline for upgrading to patched version when available; deploy WAF rules if Valkey is behind a proxy; consider migrating to alternative solutions if patch timeline is uncertain.

Is Valkey affected by CVE-2025-67733?

A high-severity vulnerability (CVE-2025-67733) affecting Valkey distributed databases poses significant risk to organizations storing critical data in these systems.

CVE-2025-67733

HIGH

2026-02-23 [email protected]

8.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

High

Lifecycle Timeline

Patch Released

Mar 18, 2026 - 14:15 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 23, 2026 - 20:28 nvd

HIGH 8.5

Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

Analysis

Valkey is a distributed key-value database. [CVSS 8.5 HIGH]

Technical Context

Affects Valkey. Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

Affected Products

Vendor: Lfprojects. Product: Valkey. Versions: up to 9.0.2.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +42

POC: 0

Vendor Status

CVE-2025-67733 vulnerability details – vuln.today

Back

CVE-2025-67733

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-67733

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code