Valkey Distributed Key-Value Database Pre-Authentication Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Valkey, a distributed key-value database, affecting versions 9.0.0 prior to 9.0.3. The issue arises because the system fails to properly reset the networking state after handling an empty request. This flaw allows a malicious actor with network access to send a request that the server mistakenly interprets as violating server-side invariants, leading to an assertion failure and causing the server to shut down.

Impact

Exploitation of this vulnerability causes the Valkey server to abort unexpectedly, disrupting service and availability.

Remediation

Users are advised to upgrade to Valkey version 9.0.3 or later. Additionally, Valkey deployments should be properly isolated to ensure that only trusted users have access.