Two vulnerabilities in the database management systems (DBMS) Redis and Valkey have been addressed in the latest updates. The vulnerabilities were found in Redis versions 6.2.19, 7.2.10, 7.4.5, and 8.0.3, as well as Valkey versions 8.0.4 and 8.1.3. The most severe vulnerability, identified as CVE-2025-32023, could potentially allow remote execution of server code by exploiting a buffer overflow issue. To exploit this vulnerability, an attacker would need to send commands to the DBMS.
The vulnerability in Redis is related to the implementation of commands using the hyperloglog algorithm for calculating unique elements in a set. By crafting a specially designed string, an attacker could trigger a buffer overflow. This vulnerability affects all versions of Redis that support the hll commands. As a workaround, limiting user access to HLL commands through Access Control Lists (ACL) can help mitigate the risk.
The second vulnerability, identified as CVE-2025-48367, could be exploited by an authenticated user to cause denial of service or performance degradation in the DBMS. This vulnerability is caused by errors in connection handling during installation.