Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-21605
CVE-2025-21605:
Redis vulnerability analysis and mitigation
Overview
Redis versions starting from 2.6 and prior to 7.4.3 contain a vulnerability (CVE-2025-21605) where an unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is killed. The vulnerability was discovered by Tiezhen Zhang and Hanyang Jin from Huawei and was disclosed on April 23, 2025. The issue affects Redis, an open-source, in-memory database that persists on disk (NVD, GitHub Advisory).
Technical details
By default, the Redis configuration does not limit the output buffer of normal clients (via client-output-buffer-limit setting). When password authentication is enabled but no password is provided, the client can trigger output buffer growth through 'NOAUTH' responses until system memory is exhausted. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with no required privileges or user interaction (GitHub Advisory).
Impact
When exploited, this vulnerability leads to excessive resource consumption resulting in severe impact on all control and management protocols of the Redis server. The primary impact is a Denial of Service (DoS) condition where the service becomes exhausted and memory becomes unavailable, potentially causing the server to crash or become unresponsive (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in Redis version 7.4.3. For users unable to immediately update, several workarounds are available: 1) Block access to prevent unauthenticated users from connecting to Redis using network access control tools like firewalls, iptables, or security groups, 2) Enable TLS and require users to authenticate using client-side certificates (GitHub Advisory, Redis Release).
Community reactions
The release of Redis 7.4.3 has received positive community engagement, with multiple users acknowledging the security fix. The GitHub release announcement has garnered various reactions including thumbs up, rocket, and hooray emojis from the community (Redis Release).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management