Skip to main content

Valkey CVE-2025-67733

HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-02-23 security-advisories@github.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
5.4 MEDIUM

Network-reachable and low-complexity but requires a scripting-capable authenticated account (PR:L); impact is data tampering across a shared connection (I:L) with no confidentiality loss and at most minor availability disruption, so A:L not A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
SUSE
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Red Hat
7.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 30, 2026 - 05:26 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:26 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:25 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:24 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:23 NVD
8.5 (HIGH) 7.1 (HIGH)
Patch released
Mar 18, 2026 - 14:15 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 23, 2026 - 20:28 nvd
HIGH 8.5

DescriptionNVD

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

AnalysisAI

Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle arbitrary bytes into the reply stream, corrupting or tampering with data returned to other users sharing the same connection. The flaw stems from the Lua script error-handling path mishandling null characters. It affects all releases prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. No public exploit identified at time of analysis; EPSS exploitation probability is negligible (0.02%, 4th percentile) and the issue is not in CISA KEV.

Technical ContextAI

Valkey is an open-source, high-performance distributed in-memory key-value datastore (a community fork of Redis) maintained under the Linux Foundation (CPE vendor 'lfprojects'). It embeds a Lua interpreter exposed through scripting commands such as EVAL/EVALSHA, allowing server-side script execution. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output - Injection): the error-handling code for Lua scripts fails to neutralize embedded null (\0) characters before writing error/result content back into the RESP (Redis Serialization Protocol) reply buffer. Because Valkey multiplexes responses on a single client connection, malformed length/delimiter framing introduced by an unescaped null lets script output bleed into or desynchronize replies destined for other consumers on that connection.

RemediationAI

Vendor-released patch: upgrade Valkey to 9.0.2, 8.1.6, 8.0.7, or 7.2.12 (pick the fixed release matching your branch). For OS-packaged installs, apply your distribution's update: Ubuntu USN-8106-1 (https://ubuntu.com/security/notices/USN-8106-1), Red Hat RHSA-2026:3443 / RHSA-2026:5445 / RHSA-2026:3507 (https://access.redhat.com/errata/RHSA-2026:3443), or SUSE SUSE-SU-2026:0685 / SUSE-SU-2026:0848 (https://www.suse.com/support/update/SUSE-SU-2026:0685/); refer to the upstream advisory GHSA-p876-p7q5-hv2m for details. If you cannot patch immediately, the most effective compensating control is to restrict who can run scripting commands: use Valkey ACLs to deny EVAL/EVALSHA/FUNCTION (e.g., '-eval -evalsha -script -function' or category '-@scripting') to untrusted accounts, accepting that any application logic relying on server-side Lua will break. Avoid sharing a single authenticated connection across mutually distrusting tenants, since the bug corrupts replies among consumers on the same connection. Continue enforcing 'requirepass'/ACL authentication and network-level access restriction (bind to trusted interfaces, firewall the Valkey port) to keep scripting privileges out of untrusted hands.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2025-67733 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy