CVE-2025-46686

LOW

Redis <8.0.3 - Memory Corruption

Title source: llm

Description

Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model.

References (3)

[Various Sources] https://github.com/redis/redis

[Issue Tracking] https://github.com/io-no/CVE-Reports/issues/1

[Vendor Advisory] https://github.com/redis/redis/security/advisories/GHSA-2r7g-8hpc-rpq9

Scores

CVSS v3 3.5

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Classification

CWE

CWE-401

Status draft

Timeline

Published Jul 23, 2025

Tracked Since Feb 18, 2026