CVE-2025-46686
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-07-23
Last updated on: 2025-08-26
Assigner: MITRE
Description
Description
Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redis | redis | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Redis versions up to 7.4.3 allows an authenticated user to cause increased memory consumption by sending a multi-bulk command with many bulks. The server allocates memory for each bulk's command arguments even if the command is skipped due to insufficient permissions, leading to unnecessary memory usage.
How can this vulnerability impact me? :
The vulnerability can lead to excessive memory consumption on the Redis server, potentially causing performance degradation or denial of service due to resource exhaustion.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70