CVE-2026-25243
Remote Code Execution in Redis via RESTORE Command
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redis | redis | to 8.6.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25243 is a high-severity vulnerability in Redis versions prior to 8.6.3 that affects the RESTORE command. The issue arises because the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a specially crafted serialized payload that triggers invalid memory access.
This invalid memory access can lead to remote code execution, allowing the attacker to run arbitrary code within the Redis server context. The root cause is insufficient validation of input, which can cause unsafe memory operations.
A workaround is to restrict access to the RESTORE command using Access Control List (ACL) rules. The vulnerability is patched in Redis version 8.6.3.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code on the Redis server, potentially compromising the entire system.
- Compromise of system confidentiality by unauthorized data access or exfiltration.
- Integrity violations through unauthorized modification of data or system state.
- Availability disruptions by causing service crashes or denial of service.
The attack requires low privileges but does require authentication and permission to execute the RESTORE command.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the Redis server version and checking if the RESTORE command is accessible to potentially untrusted users.
You can detect vulnerable Redis versions by running the following command on your Redis server:
- redis-server --version
If the version is prior to 8.6.3, the server is vulnerable.
To check if the RESTORE command is accessible, you can use the Redis ACL commands to list permissions for users:
- ACL LIST
Look for users with permission to execute the RESTORE command. If any user has this permission and is authenticated, the system is at risk.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to restrict access to the RESTORE command using Redis Access Control Lists (ACLs).
Specifically, you should remove or limit permissions for users to execute the RESTORE command unless absolutely necessary.
- Use the ACL command to revoke RESTORE permissions, for example:
- ACL SETUSER <username> -RESTORE
Additionally, upgrading Redis to version 8.6.3 or later will patch the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to execute arbitrary code on the Redis server, potentially compromising the system, exfiltrating data, or disrupting services.
Such impacts on confidentiality, integrity, and availability of data could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
Therefore, if exploited, this vulnerability could result in violations of these regulations due to unauthorized data access or system compromise.