CVE-2025-62507: 
Redis 脆弱性の分析と軽減

Redis version 8.2 and later contains a high-severity vulnerability (CVE-2025-62507, CVSSv4 7.7) that could allow remote code execution (RCE) under specific conditions. The vulnerability was discovered by Google Big Sleep, an AI security agent jointly developed by Google DeepMind and Project Zero, and was patched in Redis version 8.2.3 (SecurityOnline, GitHub Advisory).

The vulnerability stems from a stack buffer overflow triggered by improper input handling in the XACKDEL command, which is used in stream message acknowledgment and deletion. The flaw occurs when the XACKDEL implementation fails to properly reallocate memory for a large number of stream IDs that exceeds the STREAMIDSTATICVECTOR_LEN. The code skips a necessary reallocation, leading to a stack buffer overflow condition (SecurityOnline, GitHub Commit).

An attacker with access to the Redis CLI or API could exploit this vulnerability by passing an excessively large list of IDs to XACKDEL, potentially achieving arbitrary code execution in the context of the Redis process. The vulnerability has been assigned a high severity rating with a CVSSv4 score of 7.7, indicating significant potential impact on system confidentiality, integrity, and availability (GitHub Advisory).

Redis has released version 8.2.3 which contains the fix for this vulnerability. For users unable to immediately update, a temporary workaround is available using Redis' Access Control Lists (ACLs) to prevent users from executing the XACKDEL operation. This can be implemented by restricting the XACKDEL command through ACL configuration (SecurityOnline, GitHub Release).