Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector with low privilege required; high complexity because connection-pool multiplexing is a prerequisite; scope change affects pooled clients with low C and I impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing response desynchronization in connection-pool clients. This vulnerability is fixed in 1.39.9.
AnalysisAI
RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) authenticated access to Dragonfly with permission to execute EVAL or EVALSHA commands - the CVSS PR:L metric confirms a low-privilege authenticated account is the minimum prerequisite; (2) the client connecting to Dragonfly must use a connection pool that multiplexes multiple logical clients over a single TCP connection, as desynchronization only affects clients sharing a socket; (3) the attacker must be able to submit a Lua script containing redis.error_reply() or redis.status_reply() with embedded \r\n sequences. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.3 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) accurately reflects the constrained impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Dragonfly user executes a Lua script via EVAL that returns redis.error_reply("ERR msg\r\n+INJECTED\r\n"); the EvalSerializer forwards the raw string to the connection's response buffer, inserting a spurious +INJECTED\r\n RESP frame. A connection-pool client sharing that socket across multiple logical sessions parses the injected frame as the response to the next pending command - for example, a subsequent PING issued by a different pooled client receives the injected string instead of +PONG, corrupting its state or exposing response data cross-client. … |
| Remediation | Upgrade Dragonfly to version 1.39.9 or later; this is the vendor-confirmed fix documented in GHSA-h77h-c6hc-qc9h and implemented in PR #7332 (https://github.com/dragonflydb/dragonfly/pull/7332). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39810