CVE-2025-48367
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-07

Last updated on: 2025-09-05

Assigner: GitHub, Inc.

Description
Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-07
Last Modified
2025-09-05
Generated
2026-06-08
AI Q&A
2025-07-07
EPSS Evaluated
2026-06-07
NVD
CVE-2025-48367
EUVD
EUVD-2025-20232
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
redis redis From 7.0.0 (inc) to 7.2.9 (inc)
redis redis From 7.0.0 (inc) to 7.2.9 (inc)
redis redis From 7.0.0 (inc) to 7.2.9 (inc)
redis redis From 7.0.0 (inc) to 7.2.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-48367 is a high-severity denial of service vulnerability in Redis, an open source in-memory database. The issue occurs because Redis improperly handles certain connection errors from unauthenticated clients, specifically repeated IP protocol errors. These errors cause client starvation by exhausting resources, which prevents legitimate clients from connecting and ultimately leads to a denial of service. The vulnerability arises from the way Redis handles errors returned by the accept4() system call during connection acceptance, where transient errors were not immediately retried, causing delays and dropped connections. [1, 3]

Impact Analysis

This vulnerability can impact you by causing a denial of service on your Redis server. An unauthenticated attacker can trigger repeated IP protocol errors that exhaust server resources, leading to client starvation. This means legitimate clients may be unable to connect or use the Redis service, resulting in downtime or degraded performance of applications relying on Redis. [1]

Detection Guidance

This vulnerability manifests as repeated IP protocol errors causing client starvation and denial of service in Redis. Detection can involve monitoring Redis server logs for frequent connection errors related to accept4() failures or transient network errors such as ECONNABORTED, ENETDOWN, EPROTO, ENOPROTOOPT, EHOSTDOWN, ENONET, EHOSTUNREACH, EOPNOTSUPP, and ENETUNREACH. Additionally, network monitoring tools can be used to detect unusual connection reset or refusal patterns to the Redis server port (default 6379). Specific commands to check Redis logs or system logs (e.g., using grep for error messages) and to monitor network connections (e.g., using netstat or ss) can help identify symptoms of this issue. However, no explicit detection commands are provided in the resources. [1, 3]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade your Redis server to one of the fixed versions: 8.0.3, 7.4.5, 7.2.10, or 6.2.19. These versions include a patch that improves the handling of transient errors during connection acceptance by retrying accept4() calls promptly, preventing denial of service caused by repeated IP protocol errors. Until upgrading, consider restricting network access to the Redis server to trusted clients only to reduce exposure to unauthenticated connection attempts. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-48367. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart