Redis
Easy fix5 remedies
cpe:2.3:a:redis:redis:*:*:*:*:*:*:*
Easy fix5 remedies
- >= 2.8, < 8.0.3
- >= 7.4.5, < 7.4.5
- >= 7.2.10, < 7.2.10
- >= 6.2.19, < 6.2.19
Redis HyperLogLog Out-of-Bounds Write Vulnerability Leading to Remote Code Execution
Vulnerability
Patched
A vulnerability exists in Redis versions 2.8 prior to 8.0.3, as well as in versions 7.4.5, 7.2.10, and 6.2.19. This vulnerability allows an authenticated user to trigger a stack and heap out-of-bounds write during HyperLogLog operations, potentially leading to remote code execution. The issue likely affects all Redis versions that include HyperLogLog functionality.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where Redis is running.
Reproduction
The vulnerability can be reproduced by an authenticated user who sends a specially crafted string that exploits the HyperLogLog commands. This can be done by manipulating the sparse representation of a HyperLogLog object to include opcodes that cause an out-of-bounds write.
Remediation
Users can upgrade to Redis versions 8.0.3, 7.4.5, 7.2.10, or 6.2.19. Alternatively, HyperLogLog operations can be disabled for users by using Access Control Lists (ACLs) to restrict these commands.
Added: Jul 7, 2025, 6:14 PM
Updated: Jul 7, 2025, 6:14 PM
Vulnerability Rating
Custom Algorithm
spread
5.7impact
10.0exploitability
5.9remediation
7.9relevance
0.2threat
5.2urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.