CVE-2025-21605
📋 TL;DR
CVE-2025-21605 is a memory exhaustion vulnerability in Redis where unauthenticated clients can cause unlimited growth of output buffers, leading to server memory exhaustion and denial of service. This affects Redis servers with default configurations that allow unauthenticated connections or have password authentication enabled but receive connections without passwords.
💻 Affected Systems
- Redis
📦 What is this software?
Redis by Redis
Redis by Redis
Redis by Redis
Valkey by Lfprojects
Valkey by Lfprojects
Valkey by Lfprojects
⚠️ Risk & Real-World Impact
Worst Case
Complete Redis service outage due to memory exhaustion, potentially causing application downtime and data unavailability.
Likely Case
Denial of service through memory exhaustion, disrupting Redis operations and dependent applications.
If Mitigated
Minimal impact if proper authentication and network controls prevent unauthenticated access.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill. Public detection scripts exist that demonstrate the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Redis 7.4.3
Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff
Restart Required: Yes
Instructions:
1. Download Redis 7.4.3 or later from official sources. 2. Stop Redis service. 3. Install/upgrade to patched version. 4. Restart Redis service. 5. Verify version with 'redis-server --version'.
🔧 Temporary Workarounds
Block Unauthenticated Access
linuxPrevent unauthenticated clients from connecting to Redis using network controls
iptables -A INPUT -p tcp --dport 6379 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP
Enable TLS with Client Certificates
allRequire TLS encryption and client certificate authentication
Configure Redis with 'tls-port', 'tls-cert-file', 'tls-key-file', and 'tls-auth-clients' options
🧯 If You Can't Patch
- Implement strict network access controls to allow only authenticated/trusted clients
- Enable Redis password authentication and ensure all clients provide valid credentials
🔍 How to Verify
Check if Vulnerable:
Check Redis version with 'redis-server --version'. If version is between 2.6 and 7.4.2 inclusive, system is vulnerable.Check Version:
redis-server --versionVerify Fix Applied:
Verify Redis version is 7.4.3 or later with 'redis-server --version'. Test that unauthenticated clients cannot cause memory exhaustion.📡 Detection & Monitoring
Log Indicators:
- Rapid memory usage growth
- Frequent 'NOAUTH' authentication errors from same source
- Out of memory errors in Redis logs
Network Indicators:
- High volume of connections to Redis port 6379 without authentication
- Sustained traffic from single source to Redis
SIEM Query:
source="redis.log" ("NOAUTH" OR "out of memory" OR "OOM") | stats count by src_ip🔗 References
- https://github.com/redis/redis/releases/tag/7.4.3
- https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff
- https://github.com/valkey-io/valkey/releases/tag/8.1.1
- https://lists.debian.org/debian-lts-announce/2025/05/msg00014.html
- https://www.vicarius.io/vsociety/posts/cve-2025-21605-detection-script-memory-exhaustion-vulnerability-in-redis-database
- https://www.vicarius.io/vsociety/posts/cve-2025-21605-mitigation-script-memory-exhaustion-vulnerability-in-redis-database
