CVE-2025-67733
Received Received - Intake
Lua Script Injection in Valkey Causes Data Tampering Risk

Publication date: 2026-02-23

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-25
Generated
2026-05-27
AI Q&A
2026-02-23
EPSS Evaluated
2026-05-25
NVD
CVE-2025-67733
EUVD
EUVD-2025-207626
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
lfprojects valkey to 7.2.12 (exc)
lfprojects valkey From 8.0.0 (inc) to 8.0.7 (exc)
lfprojects valkey From 8.1.0 (inc) to 8.1.6 (exc)
lfprojects valkey From 9.0.0 (inc) to 9.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-67733 is a high-severity vulnerability in the valkey-server package affecting versions up to 9.0.1. It stems from improper handling of null characters in the Lua scripting error handling code, specifically in the error_reply function.

This flaw allows a malicious user to inject arbitrary data into the RESP (Redis Serialization Protocol) response stream for a given client. As a result, data can be corrupted or tampered data can be returned to other users sharing the same connection.

The attack is network-based, has low complexity, requires low privileges, and does not require user interaction.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing a malicious user to inject arbitrary information into the response stream, potentially causing data corruption or returning tampered data to other users on the same connection.

While there is no confidentiality impact, the integrity of the data can be compromised (low integrity impact), and the availability of the service can be severely affected (high availability impact).


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There are no specific detection commands or methods provided for identifying this vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

The primary and recommended mitigation step is to upgrade the valkey-server package to one of the fixed versions: 9.0.2, 8.1.6, 8.0.7, or 7.2.12.

No additional mitigations beyond patching are provided.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart