Corrective releases of Redis (6.2.19, 7.2.10, 7.4.5, 8.0.3) and Valkey (8.0.4, 8.1.3) DBMS have been published, which fix two vulnerabilities. The most dangerous vulnerability (CVE-2025-32023) can potentially lead to remote code execution on the server due to writing data to an area outside the allocated buffer. To exploit the vulnerability, an attacker must be able to send commands to the DBMS.
The issue is caused by an error in the implementation of commands that use the HyperLogLog algorithm to approximate the count of unique elements in a set. By passing a specially crafted string, an attacker can trigger a buffer overflow. The issue affects all versions of Redis that support HLL commands. As a workaround, you can restrict user access to HLL commands via ACL.
The second vulnerability (CVE-2025-48367) can be used by an authenticated user to cause a denial of service or reduce the performance of the DBMS. The problem is caused by incorrect error handling when establishing connections.
Source: opennet.ru
