CVE-2025-46686: 
Redis vulnerability analysis and mitigation

Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This vulnerability (CVE-2025-46686) was discovered in July 2025 and affects Redis servers where authenticated users can send commands. The issue is disputed by Redis because they consider abuse of the commands network protocol not to be a violation of their Security Model (Redis Advisory).

The vulnerability occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped due to insufficient permissions. The issue has received varying CVSS scores: MITRE assigned a Base Score of 3.5 (LOW) with vector CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, while CISA-ADP rated it at 4.9 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. The vulnerability is associated with CWE-789 (Memory Allocation with Excessive Size Value) and CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD).

The primary impact of this vulnerability is potential denial-of-service (DoS) through memory exhaustion. When exploited, it allows authenticated users to cause unintended or unexpected impact to the availability of the Redis server, even with low-level permissions (Redis Advisory).

Redis has decided not to implement a fix for this issue, stating that doing so would negatively impact legitimate functionality and performance. Instead, they recommend reviewing and enforcing strong access controls and integration with corporate identity provider solutions (Redis Advisory).

The vulnerability has sparked discussion about Redis's security model, with Redis maintaining that abuse of the commands network protocol does not constitute a security vulnerability. This stance has led to the vulnerability being marked as disputed in official records (NVD).