CVE-2025-48367: 
Redis vulnerability analysis and mitigation

CVE-2025-48367 is a denial-of-service vulnerability affecting Redis, an open-source, in-memory database that persists on disk. The vulnerability was discovered and disclosed on July 7, 2025. The issue allows an unauthenticated connection to cause repeated IP protocol errors, which can lead to client starvation and ultimately result in a denial of service. The vulnerability affects all versions of Redis prior to versions 8.0.3, 7.4.5, 7.2.10, and 6.2.19 (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability stems from improper handling of connection errors, where the system fails to properly manage resources when encountering IP protocol errors from unauthenticated connections (GitHub Advisory).

The primary impact of this vulnerability is on system availability. When exploited, it can cause client starvation and lead to a denial of service condition, potentially making the Redis service unavailable to legitimate users. The vulnerability does not affect data confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in Redis versions 8.0.3, 7.4.5, 7.2.10, and 6.2.19. The fix involves implementing proper retry mechanisms for accepting connections even when an accepted connection reports an error. Users are strongly advised to upgrade to these patched versions. Additionally, it is recommended to enforce strong authentication and avoid exposing Redis instances to untrusted networks (GitHub Releases, Security Online).