FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

redis,valkey -- DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client

Affected packages
redis < 7.4.3
redis72 < 7.2,8
redis62 < 6.2.18
valkey < 8.1.1

Details

VuXML ID af8d043f-20df-11f0-b9c5-000c295725e4
Discovery 2025-04-23
Entry 2025-04-24

Axel Mierczuk reports:

By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable.

When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory.

[source]

References

CVE Name CVE-2025-21605
URL https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.