CVE-2025-29923: 
Grafana vulnerability analysis and mitigation

go-redis, the official Redis client library for the Go programming language, was found to have a vulnerability (CVE-2025-29923) prior to versions 9.5.5, 9.6.3, and 9.7.3. The vulnerability involves potential out-of-order responses when CLIENT SETINFO times out during connection establishment. This issue was discovered and disclosed on March 20, 2025, affecting versions >=9.5.1 (GitHub Advisory).

The vulnerability occurs when the CLIENT SETINFO command times out during connection establishment under specific conditions: when the client is configured to transmit its identity, during network connectivity issues, or when the client is configured with aggressive timeouts. The issue has been assigned a CVSS v3.1 score of 3.7 (Low) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector with high complexity, no privileges required, and low impact on integrity (GitHub Advisory).

The impact varies depending on the use case: For sticky connections, clients receive persistent out-of-order responses for the lifetime of the connection. In pipeline scenarios, all commands in the pipeline receive incorrect responses. When using the default connection pool without pipelining, at most one out-of-order response occurs before the connection is discarded, as the connection is marked as bad due to unread data when returned to the pool (GitHub Advisory).

The issue has been fixed in versions 9.5.5, 9.6.3, and 9.7.3. As a workaround, users can prevent the vulnerability by setting the flag DisableIdentity (or DisableIndentity) to true when constructing the client instance. The fix was implemented through PR #3295, which handles network errors in CLIENT SETINFO to avoid out-of-order responses (GitHub Commit, GitHub PR).