A high-severity denial-of-service (DoS) vulnerability in Redis, tracked as CVE-2025-21605, allows unauthenticated attackers to crash servers or exhaust system memory by exploiting improperly limited output buffers.
The flaw affects Redis versions 2.6 and newer, with patches now available in updates 6.2.18, 7.2.8, and 7.4.3.
How the Exploit Works
The vulnerability stems from Redis’s default configuration, which imposes no limits on client output buffers.
.png
)
Attackers can send repeated unauthenticated requests, forcing these buffers to grow uncontrollably.
Even servers with password authentication enabled remain vulnerable if clients don’t provide credentials, as the Redis server continues sending “NOAUTH” error responses that consume memory.
Key Risks:
- Memory exhaustion: Servers may crash or become unresponsive.
- Zero authentication required: Attackers need no credentials.
- Network-accessible exploitation: Targets exposed to the internet are at immediate risk.
| Category | Details |
| Vulnerability Name | Redis DoS Flaw – Unlimited Growth of Output Buffers |
| CVE ID | CVE-2025-21605 |
| Affected Package | redis-server |
| Affected Versions | 2.6 and above |
| Patched Versions | 6.2.18, 7.2.8, 7.4.3 |
| Authentication Required | No (Unauthenticated attack) |
| Description | An unauthenticated client can cause unlimited output buffer growth, exhausting server memory. |
| Impact | Server crash, memory exhaustion, denial of service |
| Severity | High (CVSS 8.6/10) |
Mitigation and Patches
Redis maintainers have released emergency fixes to enforce output buffer limits. Users must upgrade to Redis 6.2.18, 7.2.8, or 7.4.3 immediately. For organizations unable to patch promptly, two workarounds are recommended:
- Network access controls: Use firewalls or security groups to block unauthorized access.
- TLS with client certificates: Require encrypted connections and client authentication.
With a CVSS score of 8.6 (High), this flaw poses a significant threat to the 300,000+ Redis instances estimated to be publicly exposed online.
Cloud infrastructure and in-memory databases are particularly vulnerable due to Redis’s widespread use for caching, session management, and real-time analytics.
Yaacov Hazan, a Redis maintainer, emphasized the urgency: “This vulnerability allows trivial exploitation with catastrophic results.
Organizations must prioritize patching or risk severe service disruptions.” Security researcher Polaris-alioth, who discovered the flaw, noted, “The default configuration’s lack of buffer limits creates a low-effort attack vector for adversaries.”
Recent Redis updates also address:
- Race conditions between main and module threads (#12817, #12905).
- Memory leaks in FUNCTION FLUSH commands (#13661).
- Premature WAITAOF returns and SLAVEOF crashes (#13793, #13853).
Redis has not yet disclosed when older versions (pre-6.2) will receive backported fixes. Until then, unpatched users must rely on network segmentation or TLS enforcement to mitigate risks.
This vulnerability highlights the dangers of default configurations in critical infrastructure software.
As Redis powers everything from social media platforms to financial systems, proactive patching isn’t just advisable—it’s essential to prevent large-scale outages.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 vulnerability in Redis, tracked as CVE-2025-21605, allows unauthenticated attackers to crash servers.){kind=link}