A high-severity vulnerability in Redis, the popular open-source in-memory data structure store, that could allow unauthenticated attackers to cause denial-of-service conditions by exhausting server memory.
Tracked as CVE-2025-21605 with a CVSS score of 7.5, this vulnerability affects all Redis versions from 2.6 onward and poses a significant risk to exposed Redis instances.
Redis Memory Exhaustion Vulnerability
The vulnerability stems from a fundamental design issue in Redis’s output buffer management.
.png
)
By default, Redis does not impose limits on output buffers for normal clients through the client-output-buffer-limit configuration.
This flaw allows output buffers to grow indefinitely, potentially exhausting all available system memory. This vulnerability is particularly concerning because it can be exploited without authentication.
Even when password protection is enabled on a Redis server, attackers can trigger the vulnerability by sending requests without providing a password.
Each failed authentication attempt generates “NOAUTH” responses that accumulate in the output buffer until the system runs out of memory or crashes.
“An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed,” Redis maintainers explained in their security advisory.
Security researcher @polaris-alioth responsibly disclosed the vulnerability, demonstrating ongoing collaboration between the security community and Redis maintainers.
| Risk Factors | Details |
| Affected Products | Redis versions from 2.6 to versions prior to the patched releases. |
| Impact | Denial of Service (DoS) |
| Exploit Prerequisites | No authentication or privileges required; network access to Redis instance |
| CVSS 3.1 Score | 7.5 (High) |
The attack vector is classified as network-based with low complexity, requiring no privileges or user interaction. While the vulnerability doesn’t compromise data confidentiality or integrity, it directly impacts availability, earning a high severity rating.
From a technical perspective, the issue arises from Redis’s handling of client connections. When a client connects to Redis without authentication using a command like: Affected Versions and Patches
Each unauthorized command generates error responses that consume memory in the server’s output buffer. These responses accumulate indefinitely since Redis fails to implement proper output buffer limits.
Affected Versions and Patches
The vulnerability affects all Redis versions from 2.6 to versions prior to the following patched releases:
- Redis OSS/CE 7.4.3 and above
- Redis OSS/CE 7.2.8 and above
- Redis OSS/CE 6.2.18 and above
- Redis Stack 7.4.0-v4 and above
- Redis Stack 7.2.0-v16 and above
- Redis Stack 6.2.6-v20 and above
Redis Cloud services have already been upgraded with the necessary fixes, requiring no action from cloud customers. However, organizations self-managing Redis deployments should urgently upgrade to the patched versions.
For organizations unable to upgrade immediately, Redis maintainers recommend alternative mitigation strategies:
- Implement network access controls using firewalls, iptables, or cloud security groups to prevent unauthenticated connections
- Enable TLS and require client-side certificate authentication
- Configure proper output buffer limits for clients
“Exposure to this vulnerability requires a Redis endpoint to be publicly exposed,” Redis stated in their advisory, emphasizing the importance of proper network security practices when deploying Redis servers.
Organizations utilizing Redis in their infrastructure should assess their exposure and implement appropriate mitigations immediately.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
