Memory Exhaustion Vulnerability in Redis Database by Redis
CVE-2025-21605

7.5HIGH

Key Information:

Vendor
Redis
Status
Redis
Vendor
CVE Published:
23 April 2025

What is CVE-2025-21605?

CVE-2025-21605 is a memory exhaustion vulnerability found in the Redis database, an open-source, in-memory data structure store widely used for caching, real-time analytics, and messaging. This vulnerability allows an unauthenticated client to exploit the Redis server by causing unbounded growth of output buffers. As a result, an affected organization's resources can be depleted, potentially leading to system crashes and unavailability of services. The default configurations of Redis do not impose limit checks on output buffers, increasing the risk when it is exposed to unauthorized access.

Technical Details

The vulnerability exists in Redis versions from 2.6 to prior to 7.4.3. When a malicious client sends requests to the Redis server without proper authentication, it can trigger "NOAUTH" responses. These responses can lead to uncontrolled buffer growth, ultimately consuming all available memory resources on the server. The Redis development team has released a patch in version 7.4.3 to address this issue, but it is also possible to mitigate the risk by blocking unauthorized access through network control measures or by implementing transport layer security (TLS) and requiring client-side certificate authentication.

Potential Impact of CVE-2025-21605

  1. Service Disruption: By exhausting server memory, this vulnerability can lead to the complete disruption of services, preventing legitimate users from accessing the Redis database and potentially halting critical operational processes.

  2. Increased Maintenance Costs: Organizations may incur greater operational costs due to the need for constant monitoring and maintenance of Redis instances to prevent exploitation, as well as potential emergency response measures to recover from a memory exhaustion incident.

  3. Security Breach Risks: The lack of authentication requirements can allow unauthorized users to initiate attacks, creating an entry point for further exploitation or data exfiltration, thereby jeopardizing sensitive organizational data and privacy.

Affected Version(s)

redis >= 2.6, < 7.4.3

References

https://github.com/redis/redis/security/advisories/GHSA-r...
x_refsource_CONFIRM
https://github.com/redis/redis/releases/tag/7.4.3
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-21605 : Memory Exhaustion Vulnerability in Redis Database by Redis | SecurityVulnerability.io