CVE-2025-46686

LOW

Redis <8.0.3 - Memory Corruption

Title source: llm

Description

Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model.

References (3)

[Various Sources] https://github.com/redis/redis

[Issue Tracking] https://github.com/io-no/CVE-Reports/issues/1

[Vendor Advisory] https://github.com/redis/redis/security/advisories/GHSA-2r7g-8hpc-rpq9

Scores

CVSS v3 3.5

EPSS 0.0005

EPSS Percentile 14.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-401

Status published

Products (1)

Redis/Redis < 8.0.3

Published Jul 23, 2025

Tracked Since Feb 18, 2026