Primary

Context

Valkey Distributed Key-Value Database RESP Protocol Injection Vulnerability

Vulnerability

A RESP protocol injection vulnerability has been identified in Valkey, a distributed key-value database, in versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. The vulnerability allows a malicious user to inject arbitrary information into the response stream for a given client using scripting commands. This could potentially corrupt or tamper with data sent to other users on the same connection. The issue arises because the error handling code for Lua scripts does not properly manage null characters.

Impact

Exploitation of this vulnerability could lead to the injection of false information into the response stream, allowing for data corruption or tampering with information sent to other users on the same connection.

Remediation

Users can upgrade to Valkey versions 9.0.2, 8.1.6, 8.0.7, or 7.2.12 to address this vulnerability.

Added: Feb 23, 2026, 8:32 PM

Updated: Feb 23, 2026, 8:32 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Valkey Distributed Key-Value Database RESP Protocol Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating