Redis Redis

  1. Vendors
  2. Redis

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Redis product.

RSS Feeds for Redis security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Redis products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Redis Sorted by Most Security Vulnerabilities since 2018

Redis44 vulnerabilities

Redis Py2 vulnerabilities

Hiredis1 vulnerability

Redisraft1 vulnerability

Known Exploited Redis Vulnerabilities

The following Redis vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Debian-specific Redis Server Lua Sandbox Escape Vulnerability Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
CVE-2022-0543 Exploit Probability: 94.4% 		March 28, 2022

The vulnerability CVE-2022-0543: Debian-specific Redis Server Lua Sandbox Escape Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2025 there have been 12 vulnerabilities in Redis with an average score of 7.3 out of ten. Last year, in 2024 Redis had 5 security vulnerabilities published. That is, 7 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.48




Year Vulnerabilities Average Score
2025 12 7.33
2024 5 7.80
2023 14 5.94
2022 8 7.81
2021 9 7.58

It may take a day or so for new Redis vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Redis Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-62507 Nov 04, 2025
Redis XACKDEL stack buffer overflow CVE-2025-62507 (8.2.0-8.2.2) Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.
Redis
CVE-2025-49844 Oct 03, 2025
Redis 8.2 UGAF: Lua Script UAF RCE (fixed 8.2.2) Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Redis
CVE-2025-46819 Oct 03, 2025
Redis 8.2.1 Auth'd Lua Script OOB Read/Crash via EVAL/FUNCTION (8.2.2 Fix) Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis
CVE-2025-46818 Oct 03, 2025
Redis 8.2.1 and below: Auth user can run Lua scripts & execute code Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis
CVE-2025-46817 Oct 03, 2025
Redis <8.2.2 Integer Overflow via Lua Script RCE Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
Redis
CVE-2025-46686 Jul 23, 2025
Redis 8.0.3 Multi-Bulk Authenticated Memory Exhaustion Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model.
Redis
CVE-2025-32023 Jul 07, 2025
Redis hyperloglog OOB write -> RCE (2.8–8.0.x) Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
Redis
CVE-2025-48367 Jul 07, 2025
Redis Unauthenticated IP Protocol Error Leads to DoS until 8.0.3/7.4.5/7.2.10/6.2.19 Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
Redis
CVE-2025-27151 May 29, 2025
Redis 7.x Buffer Overflow in redis-check-aof (fixed 8.0.2) Redis is an open source, in-memory database that persists on disk. In versions starting from 7.0.0 to before 8.0.2, a stack-based buffer overflow exists in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and potentially achieve code execution. This issue has been patched in version 8.0.2.
Redis
CVE-2025-21605 Apr 23, 2025
Redis Server Output Buffer DoS Vulnerable Before 7.4.3 Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.
Redis
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.