Skip to main content

Redis EUVDEUVD-2025-20232

| CVE-2025-48367 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2025-07-07 security-advisories@github.com
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 03:37 euvd
EUVD-2025-20232
Analysis Generated
Mar 16, 2026 - 03:37 vuln.today
Patch released
Mar 16, 2026 - 03:37 nvd
Patch available
CVE Published
Jul 07, 2025 - 16:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.

Analysis

Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Allocation of Resources Without Limits or Throttling (CWE-770).

RemediationAI

A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Vendor StatusVendor

Ubuntu

Priority: Medium
redict
Release Status Version
jammy DNE -
noble DNE -
upstream needs-triage -
oracular ignored end of life, was needs-triage
plucky ignored end of life, was needs-triage
questing needs-triage -
valkey
Release Status Version
jammy DNE -
noble needs-triage -
upstream needs-triage -
oracular ignored end of life, was needs-triage
plucky ignored end of life, was needs-triage
questing needs-triage -
redis
Release Status Version
oracular ignored end of life, was needs-triage
bionic needed -
focal needed -
jammy needed -
noble needed -
trusty needed -
upstream released 8.0.3, 7.4.5, 7.2.10, 6.2.19
xenial needed -
plucky ignored end of life, was needed
questing needed -

Debian

Bug #1108980
redict
Release Status Fixed Version Urgency
forky, sid fixed 7.3.6+ds-1 -
(unstable) fixed 7.3.5+ds-1 -
redis
Release Status Fixed Version Urgency
bullseye fixed 5:6.0.16-1+deb11u7 -
bullseye (security) fixed 5:6.0.16-1+deb11u8 -
bookworm, bookworm (security) fixed 5:7.0.15-1~deb12u6 -
trixie (security), trixie fixed 5:8.0.2-3+deb13u1 -
forky, sid fixed 5:8.0.5-1 -
bookworm fixed 5:7.0.15-1~deb12u5 -
(unstable) fixed 5:8.0.2-2 -
valkey
Release Status Fixed Version Urgency
trixie (security), trixie fixed 8.1.1+dfsg1-3+deb13u1 -
forky, sid fixed 8.1.4+dfsg1-1 -
(unstable) fixed 8.1.1+dfsg1-3 -

SUSE

Severity: High
Product Status
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed

Share

EUVD-2025-20232 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy