Reader

Security Advisory: CVE-2025-21605

| Redis | Default

What happened?

As part of an ongoing effort by the Redis Community and Redis to maintain Redis safety, security, and compliance posture, a security vulnerability in Redis has been identified and remediated in the versions indicated below.

What are the vulnerabilities?

[CVE-2025-21605] Redis DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client. CVSS Score: 7.5  (High)

By default, the Redis configuration does not limit the output buffer. Therefore, the output buffer grows unlimitedly over time. As a result, the service is exhausted and the memory is unavailable.

When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from “NOAUTH” responses until the system will run out of memory.

How can you protect your Redis instance?   

Exposure to this vulnerability requires a Redis endpoint to be publicly exposed.

There are several steps you can take to protect your Redis from being accessed by a malicious actor. To minimize the risk of exploitation, it’s important to follow these best practices:

  • Restrict Network Access: Ensure that only authorized users and systems have access to the Redis database. Use firewalls and network policies to limit access to trusted sources and prevent unauthorized connectivity.
  • Enforce TLS: if the endpoint is publicly accessible and not TLS only, then enforce TLS and require users to authenticate using client side certificates (also known as mTLS or mutual TLS)

For more details on how to securely configure, deploy, and use Redis, visit the Community Edition and Enterprise Software documentation sites.

How can I remediate?  

We’ve already upgraded our Redis Cloud service with the fixes, so no additional action is required from you.

If you’re self-managing Redis, whether Software or Community versions, upgrade your Redis to the latest release. 

The versions of Redis OSS, CE, Stack, and Software listed below include the corrections. Once the upgrades are performed, the vulnerability will be remediated in your environment.  

VulnerabilityImpacted releasesFixed releases
[CVE-2025-21605] Redis DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated clients.

CVSS Score: 7.5  (High)		All Redis Software releases7.22.0-28 and above
7.18.0-76 and above
7.8.4-95 and above
7.4.6-232 and above
7.2.4-122 and above
6.4.2-121 and above
All Redis OSS/CE/Stack releasesOSS/CE
7.4.3 and above
7.2.8 and above
6.2.18 and above

Stack
7.4.0-v4 and above
7.2.0-v16 and above
6.2.6-v20 and above

Who gets the credit?

We thank the following researchers for being so kind as to identify these vulnerabilities and report them through our published process: The problem was reported by @polaris-alioth

The post Security Advisory: CVE-2025-21605 appeared first on Redis.