Critical stack buffer overflow flaw in Redis database enables remote code execution
Take action: If you use Redis database servers (versions 8.2 to 8.2.3), plan a quick update to version 8.2.3 or later. The flaw is not immediately exploitable, but it's not something you want to leave exposed and ignore. Someone will find a way to reach your Redis servers and make a repeatable exploit. If you can't update right away, use Access Control Lists (ACL) to block access to the XACKDEL command until you can apply the security patch.
Learn More
Redis developers have patched a high-severity security vulnerability that could allow attackers to inject and execute arbitrary malicious code.
The flaw is tracked as CVE-2025-62507 (CVSS score 7.7 to 9.3), and is caused by improper input handling in the XACKDEL command, a feature used for stream message acknowledgment and deletion within Redis. When users invoke the XACKDEL command with multiple stream IDs, the system fails to properly allocate memory for processing these requests. The Redis code does not adequately handle scenarios where the number of IDs exceeds a predefined threshold called STREAMID_STATIC_VECTOR_LEN, causing it to skip necessary memory reallocation. This triggers a stack-based buffer overflow condition that attackers can exploit to overwrite portions of stack memory and potentially achieve arbitrary code execution within the context of the Redis process.
Successful exploitation could enable attackers to gain unauthorized access to the Redis server, execute injected malicious code with database privileges, steal sensitive data stored in Redis instances, manipulate cached information to compromise dependent applications, deploy malware or backdoors for persistent access, and pivot to other systems within the network infrastructure.
Redis developers initially calculated a CVSS v4 score of 7.7, but SUSE maintainers assigned more severe ratings of CVSS v4 9.3 . This discrepancy in risk assessment reflects different interpretations of the vulnerability's exploitability and potential impact, though all parties agree it requires immediate attention.
All Redis versions from 8.2 to 8.2.3 are vulnerable.
Redis version 8.2.3 and all newer releases contain the security fix for this vulnerability.
Redis administrators should update to version 8.2.3 or later. For organizations that can't update, system administrators can use Access Control Lists (ACL) to restrict access to the vulnerable XACKDEL command, preventing users from executing this operation until patching is feasible.
