CVE-2025-32023

HIGH LAB

Redis 2.8.0-6.2.18 - Authenticated Remote Code Execution via HyperLogLog String Parsing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-32023. PoCs published by Beatriz Fresno Naumova, leesh3288, manus-use.

AI-analyzed exploit summary This exploit targets a vulnerability in Redis (CVE-2025-32023) by crafting a malformed HyperLogLog (HLL) payload to trigger an integer overflow during a merge operation, potentially leading to remote code execution (RCE). The PoC connects to Redis, writes the malformed HLL, and triggers the overflow via pfcount.

Description

Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.

Exploits (5)

exploitdb WORKING POC
by Beatriz Fresno Naumova · pythonremotelinux
https://www.exploit-db.com/exploits/52477

This exploit targets a vulnerability in Redis (CVE-2025-32023) by crafting a malformed HyperLogLog (HLL) payload to trigger an integer overflow during a merge operation, potentially leading to remote code execution (RCE). The PoC connects to Redis, writes the malformed HLL, and triggers the overflow via pfcount.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Redis versions >= 8.0.0, < 8.0.3
No auth needed
Prerequisites: Network access to Redis instance · Redis instance running a vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 208 stars
by leesh3288 · poc
https://github.com/leesh3288/CVE-2025-32023

This repository contains a working exploit for CVE-2025-32023, a vulnerability in Redis's HyperLogLog implementation that allows out-of-bounds writes due to integer overflow. The exploit achieves RCE by corrupting heap structures and leveraging Redis modules.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Redis versions >= 2.8 and < 8.0.3, 7.4.5, 7.2.10, 6.2.19
No auth needed
Prerequisites: Network access to Redis server · Redis server running vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by manus-use · postscriptpoc
https://github.com/manus-use/cve-pocs/tree/main/redis-CVE-2025-32023

This repository contains functional exploit code for CVE-2025-32433, an Erlang OTP SSH vulnerability, demonstrating pre-authentication command execution via crafted SSH packets. The PoC includes a Dockerized vulnerable environment and a Python script to trigger the exploit.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Erlang OTP SSH (OTP-22.3.4.17)
No auth needed
Prerequisites: network access to target SSH port · vulnerable Erlang OTP version
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WRITEUP
by LordBheem · poc
https://github.com/LordBheem/CVE-2025-32023

The repository provides a detailed writeup for CVE-2025-32023, a remote code execution vulnerability in Redis affecting HyperLogLog operations due to an integer overflow. It includes technical details, mitigation steps, and references but lacks actual exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Redis 2.8 to versions prior to 8.0.3, 7.4.5, 7.2.10, and 6.2.19
Auth required
Prerequisites: Authenticated access to a vulnerable Redis instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by 44528zja · poc
https://github.com/44528zja/Blackash-CVE-2025-32023

This repository contains a working exploit for CVE-2025-32023, a critical RCE vulnerability in Redis versions below 7.2.4. The exploit leverages a malformed HyperLogLog (HLL) structure to achieve arbitrary memory corruption and ROP chain execution, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Redis < 7.2.4
No auth needed
Prerequisites: Redis server exposed without authentication · Write access to Redis
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v3 7.0
EPSS 0.1844
EPSS Percentile 95.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull redis:7.4.2-alpine3.21@sha256:02419de7eddf55aa5bcf49efb74e88fa8d931b4d77c07eff8a6b2144472b6952
+2 more repos

Details

CWE
CWE-680
Status published
Products (1)
redis/redis 2.8.0 - 6.2.19
Published Jul 07, 2025
Tracked Since Feb 18, 2026