Summary: A high-severity denial-of-service (DoS) vulnerability in Redis, tracked as CVE-2025-21605, enables unauthenticated attackers to crash servers or exhaust memory by exploiting improperly limited output buffers. The flaw impacts Redis versions 2.6 and newer, with critical patches available in recent updates. Organizations are urged to prioritize patching to prevent severe service disruptions.
Affected: Redis
Keypoints :
- Denial-of-service vulnerability allows unauthenticated attacks.
- Redis versions 2.6 and newer are affected; patches are in versions 6.2.18, 7.2.8, and 7.4.3.
- Default output buffer settings enable attackers to exhaust server memory without requiring authentication.
- Immediate risks for publicly exposed Redis instances exceed 300,000 worldwide.
- Mitigation options include network access controls and TLS with client certificates.
- Redis maintainers emphasize the urgency of updating to avoid catastrophic service disruptions.