Out-of-Order Response Vulnerability in go-redis Client Library by Redis
CVE-2025-29923

3.7LOW

Key Information:

Vendor
Redis
Status
Go-redis
Vendor
CVE Published:
20 March 2025

Summary

The go-redis client library for the Go programming language has a vulnerability where it may return responses out-of-order when the CLIENT SETINFO command times out. This issue arises in scenarios where network connectivity is unstable or if clients are configured with aggressive timeout settings. For instances using persistent sticky connections, erroneous responses may persist throughout the connection's lifetime. Additionally, if the default connection pool is used, connections can be incorrectly marked as bad due to unread data, leading to incorrect responses for commands in the queue. Users are recommended to upgrade to versions 9.5.5, 9.6.3, or 9.7.3, or set the DisableIdentity flag to true to mitigate this issue.

Affected Version(s)

go-redis >= 9.7.0-beta.1, < 9.7.3 < 9.7.0-beta.1, 9.7.3

go-redis >= 9.6.0b1, < 9.6.3 < 9.6.0b1, 9.6.3

go-redis >= 9.5.1, < 9.5.5 < 9.5.1, 9.5.5

References

https://github.com/redis/go-redis/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/redis/go-redis/pull/3295
x_refsource_MISC
https://github.com/redis/go-redis/commit/d236865b0cfa1b75...
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-29923 : Out-of-Order Response Vulnerability in go-redis Client Library by Redis | SecurityVulnerability.io