go-redis Out-of-Order Response Vulnerability During CLIENT SETINFO Timeout

A vulnerability in the go-redis library, which is the official Redis client for Go, can lead to out-of-order responses when the CLIENT SETINFO command times out during connection establishment. This issue affects versions 9.5.1 prior to 9.5.5, 9.6.3, and 9.7.3. The problem can arise if the client is set to send its identity, if there are network connectivity problems, or if aggressive timeouts are configured. The vulnerability has different impacts depending on the use case: it can cause persistent out-of-order responses for the duration of a sticky connection, disrupt pipelined commands, or lead to incorrect connection pool behavior by marking connections as bad due to unread data.

Impact

The vulnerability can cause incorrect command responses, disrupting application logic that relies on the order and accuracy of Redis replies. This is particularly problematic in applications using pipelining or sticky connections, where the impact can be amplified by the nature of these connection management strategies.

Reproduction

To reproduce this vulnerability, create a go-redis client instance with the DisableIdentity option set to false, and establish a connection to a Redis server. Introduce a network delay or configure aggressive timeouts to cause the CLIENT SETINFO command to timeout. Once the timeout occurs, the connection will start to exhibit out-of-order response behavior, which can be observed by sending additional commands and checking the response order.

Remediation

Update the go-redis library to version 9.5.5, 9.6.3, or 9.7.3. When creating a client instance, set the DisableIdentity option to true to prevent the CLIENT SETINFO command from being sent on connect.