Critical Vulnerability Discovered in Redis: Hackers Can Crash Servers

Redis, a high-performance, open-source database widely used by developers and systems, has recently been found to have a dangerous vulnerability. This flaw allows hackers to overload server memory, rendering it inoperable.

The vulnerability, identified as CVE-2025-21605, has been assigned a severity score of 7.5. It affects all older versions of Redis starting from version 2.6.

The issue stems from Redis not setting a limit on the output buffer used to store responses to user requests. If someone repeatedly sends requests to a Redis server without providing a correct password, the server accumulates “NOAUTH” responses. This eventually fills up the server’s memory, causing Redis to crash.

How Does the Vulnerability Work?

  1. A hacker connects to Redis without entering a password.
  2. For each incorrect request, Redis responds with a “password not provided” message.
  3. These responses accumulate in the server’s memory.
  4. Once the memory is full, the Redis server crashes (resulting in a Denial-of-Service, or DoS, condition).

The most concerning aspect is that exploiting this vulnerability requires no password or authorization—just a network connection.

This vulnerability poses a significant threat only to Redis servers exposed to the public internet. Servers properly configured within internal networks and adhering to security best practices are relatively safe.

How to Protect Yourself?

If you can update Redis, do so immediately! The vulnerability has been fixed in the following versions:

Redis OSS (standard versions):

  • 7.4.3 and higher
  • 7.2.8 and higher
  • 6.2.18 and higher

Redis Stack:

  • 7.4.0-v4 and higher
  • 7.2.0-v16 and higher
  • 6.2.6-v20 and higher

Users of Redis Cloud need not worry, as the necessary updates have already been applied.

🔒 What if updating isn’t possible?

Take the following measures:

  1. Do not expose Redis to the public internet—run it only within an internal network.
  2. Configure network access controls to allow connections only from specific IP addresses.
  3. Enable TLS to secure connections.
  4. Limit the output buffer size by configuring the client-output-buffer-limit parameter.
  5. Use a firewall or iptables to block unauthorized users from connecting to the Redis server.

While Redis is a powerful tool, improper configuration can make it vulnerable. This newly discovered flaw is a clear example. If you use Redis, check your server now, update it if needed, or strengthen your security measures.

🛡 Update Redis before your memory runs out!