CVE-2025-67733
📋 TL;DR
This vulnerability in Valkey allows malicious users to inject arbitrary data into response streams via scripting commands, potentially corrupting or tampering with data returned to other users on the same connection. The issue stems from improper null character handling in Lua script error handling code. All Valkey deployments using affected versions are vulnerable.
💻 Affected Systems
- Valkey
📦 What is this software?
Valkey by Lfprojects
Valkey by Lfprojects
Valkey by Lfprojects
Valkey by Lfprojects
⚠️ Risk & Real-World Impact
Worst Case
Data corruption across multiple users sharing connections, potentially leading to data integrity breaches, application errors, or unauthorized data manipulation affecting all users on compromised connections.
Likely Case
Targeted data tampering affecting specific users sharing connections with attackers, potentially causing application errors or returning manipulated data to legitimate users.
If Mitigated
Limited impact with proper connection isolation and input validation, though the core vulnerability remains present in the software.
🎯 Exploit Status
Exploitation requires authenticated access to execute scripting commands. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.2, 8.1.6, 8.0.7, or 7.2.12 depending on your version line
Vendor Advisory: https://github.com/valkey-io/valkey/security/advisories/GHSA-p876-p7q5-hv2m
Restart Required: Yes
Instructions:
1. Identify your current Valkey version. 2. Upgrade to the patched version for your release line: 9.x → 9.0.2, 8.1.x → 8.1.6, 8.0.x → 8.0.7, 7.2.x → 7.2.12. 3. Restart Valkey service. 4. Verify the new version is running.
🔧 Temporary Workarounds
Disable Lua Scripting
allDisable Lua scripting functionality to prevent exploitation via scripting commands
In valkey.conf: lua-time-limit 0
Or via command: CONFIG SET lua-time-limit 0
Isolate Client Connections
allEnsure clients don't share connections to limit impact scope
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all scripting commands
- Monitor for unusual scripting command patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check if your Valkey version is below the patched versions for your release lineCheck Version:
valkey-cli INFO | grep 'redis_version'Verify Fix Applied:
Confirm version is 9.0.2, 8.1.6, 8.0.7, or 7.2.12 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual Lua script execution patterns
- Script execution errors containing null characters
- Multiple users experiencing data corruption on shared connections
Network Indicators:
- Unusual scripting command frequency
- Script commands with embedded null characters
SIEM Query:
source="valkey" AND (command="EVAL" OR command="EVALSHA") AND message="*null*"