CVE Tools
Sign in

CVE-2025-21605

Redis DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client

Published: Apr 23, 2025Updated: Feb 10, 2026 Sources: CVE List NVD BDUCWE-770
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.8%
Top 47.5%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-770

Affected Products

redisredis
On-premDatabase
Databases / cache-message-queue
valkeylfprojects
Mixed
AI / ML / notebook-mlops
debian linuxdebian
On-premOS
Operating Systems / linux-distro
Red Hat Enterprise LinuxRed Hat Inc.
On-premOS
Operating Systems / linux-distro
openSUSE TumbleweedNovell Inc.
On-premOS
Operating Systems / linux-distro
redisoss-projectUSDatabasesaka redis server, redis-py, go-redis
lfprojectsoss-projectAI / MLaka mlflow, valkey, model context protocol servers, mcp servers
debianoss-projectGBOperating Systemsaka debian gnu/linux
red hat inc.commercialUSOperating Systemsaka red hat
novell inc.commercialUSOperating Systems
and 8 more affected products View all →

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Impact
View detailed technique mapping

References

https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff
github.com
https://github.com/redis/redis/releases/tag/7.4.3
github.com
https://github.com/valkey-io/valkey/releases/tag/8.1.1
github.com
and 11 more references View all →

Timeline

Published
Apr 23, 2025
Last Updated
Feb 10, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-21605 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows