CVE-2025-48367
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-09-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redis | redis | From 7.0.0 (inc) to 7.2.9 (inc) |
| redis | redis | From 7.0.0 (inc) to 7.2.9 (inc) |
| redis | redis | From 7.0.0 (inc) to 7.2.9 (inc) |
| redis | redis | From 7.0.0 (inc) to 7.2.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48367 is a high-severity denial of service vulnerability in Redis, an open source in-memory database. The issue occurs because Redis improperly handles certain connection errors from unauthenticated clients, specifically repeated IP protocol errors. These errors cause client starvation by exhausting resources, which prevents legitimate clients from connecting and ultimately leads to a denial of service. The vulnerability arises from the way Redis handles errors returned by the accept4() system call during connection acceptance, where transient errors were not immediately retried, causing delays and dropped connections. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service on your Redis server. An unauthenticated attacker can trigger repeated IP protocol errors that exhaust server resources, leading to client starvation. This means legitimate clients may be unable to connect or use the Redis service, resulting in downtime or degraded performance of applications relying on Redis. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as repeated IP protocol errors causing client starvation and denial of service in Redis. Detection can involve monitoring Redis server logs for frequent connection errors related to accept4() failures or transient network errors such as ECONNABORTED, ENETDOWN, EPROTO, ENOPROTOOPT, EHOSTDOWN, ENONET, EHOSTUNREACH, EOPNOTSUPP, and ENETUNREACH. Additionally, network monitoring tools can be used to detect unusual connection reset or refusal patterns to the Redis server port (default 6379). Specific commands to check Redis logs or system logs (e.g., using grep for error messages) and to monitor network connections (e.g., using netstat or ss) can help identify symptoms of this issue. However, no explicit detection commands are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade your Redis server to one of the fixed versions: 8.0.3, 7.4.5, 7.2.10, or 6.2.19. These versions include a patch that improves the handling of transient errors during connection acceptance by retrying accept4() calls promptly, preventing denial of service caused by repeated IP protocol errors. Until upgrading, consider restricting network access to the Redis server to trusted clients only to reduce exposure to unauthenticated connection attempts. [1, 2, 3]