CVE-2025-32023

7.0 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a memory corruption vulnerability in Redis hyperloglog operations that allows authenticated users to trigger out-of-bounds writes. Successful exploitation could lead to remote code execution on affected Redis servers. The vulnerability affects Redis versions from 2.8 up to (but not including) 8.0.3, 7.4.5, 7.2.10, and 6.2.19.

💻 Affected Systems

Products:
  • Redis
Versions: 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19
Operating Systems: All operating systems running affected Redis versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to Redis. Hyperloglog operations must be available to the authenticated user.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Redis process, potentially leading to complete system compromise.

🟠

Likely Case

Redis service crash (denial of service) or limited memory corruption leading to unstable behavior.

🟢

If Mitigated

No impact if hyperloglog operations are disabled via ACL or the vulnerability is patched.

🌐 Internet-Facing: HIGH - Redis instances exposed to the internet with authentication enabled are vulnerable to authenticated attackers.
🏢 Internal Only: MEDIUM - Internal Redis instances are still vulnerable to authenticated users, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of hyperloglog operations. The vulnerability involves memory corruption which can be complex to weaponize reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.3, 7.4.5, 7.2.10, or 6.2.19

Vendor Advisory: https://github.com/redis/redis/releases

Restart Required: Yes

Instructions:

1. Identify current Redis version using 'redis-server --version'. 2. Download and install the appropriate patched version from Redis GitHub releases. 3. Stop Redis service. 4. Replace the redis-server binary with the patched version. 5. Restart Redis service.

🔧 Temporary Workarounds

Disable hyperloglog operations via ACL

all

Prevents authenticated users from executing hyperloglog commands that trigger the vulnerability

ACL SETUSER <username> -@hyperloglog
ACL SETUSER <username> -PFADD -PFCOUNT -PFMERGE

🧯 If You Can't Patch

  • Implement strict network access controls to limit Redis exposure to trusted networks only
  • Use Redis ACL to restrict all user permissions to minimum required operations

🔍 How to Verify

Check if Vulnerable:

Check Redis version with 'redis-server --version'. If version is between 2.8 and before the patched versions listed, and hyperloglog operations are enabled, the system is vulnerable.

Check Version:

redis-server --version

Verify Fix Applied:

Verify Redis version is 8.0.3, 7.4.5, 7.2.10, or 6.2.19 or later using 'redis-server --version'

📡 Detection & Monitoring

Log Indicators:

  • Unexpected Redis crashes or restarts
  • Hyperloglog command failures or unusual patterns in Redis logs

Network Indicators:

  • Unusual hyperloglog command traffic from authenticated users
  • Multiple PFADD/PFCOUNT/PFMERGE commands in short succession

SIEM Query:

source="redis.log" AND (command="PFADD" OR command="PFCOUNT" OR command="PFMERGE") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-32023
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-680
Published: July 7, 2025
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32023, you might also want to check these:

CVE-2026-24928 5.8

This CVE describes an out-of-bounds write vulnerability in a file system module that could allow att...

Same vulnerability type (CWE-680)
CVE-2026-25541 N/A

This vulnerability in the Bytes library allows integer overflow in the BytesMut::reserve function, w...

Same vulnerability type (CWE-680)