CVE-2025-46686 | THREATINT

Description

Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model.

PUBLISHED Reserved 2025-04-27 | Published 2025-07-23 | Updated 2025-08-26 | Assigner mitre

LOW: 3.5CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-401 Missing Release of Memory after Effective Lifetime

Product status

Default status

unknown

Any version

affected

References

github.com/redis/redis

github.com/io-no/CVE-Reports/issues/1

github.com/.../redis/security/advisories/GHSA-2r7g-8hpc-rpq9

cve.org (CVE-2025-46686)

nvd.nist.gov (CVE-2025-46686)

Download JSON