Valkey
Monthly
Denial of service in Valkey 9.0.0 through 9.0.2 allows unauthenticated network attackers to crash the server by exploiting improper networking state handling after empty requests. An attacker can trigger an assertion failure that causes the Valkey process to abort, impacting availability for all users. No patch is currently available; network isolation is recommended as a mitigation.
Out-of-bounds read in Valkey clusterbus port processing allows network-adjacent attackers to crash affected systems by sending specially crafted packets that bypass buffer validation checks. This vulnerability affects Valkey versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12, impacting any deployment exposing the clusterbus port to untrusted networks. Patches are available and administrators should restrict clusterbus access with network ACLs as an immediate mitigation.
Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle arbitrary bytes into the reply stream, corrupting or tampering with data returned to other users sharing the same connection. The flaw stems from the Lua script error-handling path mishandling null characters. It affects all releases prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. No public exploit identified at time of analysis; EPSS exploitation probability is negligible (0.02%, 4th percentile) and the issue is not in CISA KEV.
Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial of service in Valkey 9.0.0 through 9.0.2 allows unauthenticated network attackers to crash the server by exploiting improper networking state handling after empty requests. An attacker can trigger an assertion failure that causes the Valkey process to abort, impacting availability for all users. No patch is currently available; network isolation is recommended as a mitigation.
Out-of-bounds read in Valkey clusterbus port processing allows network-adjacent attackers to crash affected systems by sending specially crafted packets that bypass buffer validation checks. This vulnerability affects Valkey versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12, impacting any deployment exposing the clusterbus port to untrusted networks. Patches are available and administrators should restrict clusterbus access with network ACLs as an immediate mitigation.
Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle arbitrary bytes into the reply stream, corrupting or tampering with data returned to other users sharing the same connection. The flaw stems from the Lua script error-handling path mishandling null characters. It affects all releases prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. No public exploit identified at time of analysis; EPSS exploitation probability is negligible (0.02%, 4th percentile) and the issue is not in CISA KEV.
Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.