Denial-of-Service Vulnerability in Redis In-Memory Database
CVE-2024-31228

Currently unrated

Key Information:

Vendor: Redis
Status: Redis
Vendor: CVE Published:; 7 October 2024

Summary

Redis, an open-source in-memory database, is susceptible to a denial-of-service attack where authenticated users can exploit specially crafted long string match patterns. This can affect commands like KEYS, SCAN, PSUBSCRIBE, and ACL definitions, leading to unbounded recursion. Such exploitation may cause a stack overflow, resulting in a crash of the Redis process. Users are strongly encouraged to upgrade to the fixed versions—6.2.16, 7.2.6, or 7.4.1—since there are no known workarounds available.

References

https://github.com/redis/redis/security/advisories/GHSA-6...

https://github.com/redis/redis/commit/9317bf64659b33166a9...

Timeline

Vulnerability published
Oct 7, 2024