CVE-2021-32675
published 2021-10-04CVE-2021-32675: Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory…
PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
15.78%
96.5th percentile
Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | redis | < redis 5:6.0.16-1 (bookworm) | redis 5:6.0.16-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_redis_6.2.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_redis_5.0.14-1_on_cbl_mariner_1.0 | — | — |
| oracle | communications_operations_monitor | — | — |
| oracle | communications_operations_monitor | — | — |
| oracle | communications_operations_monitor | — | — |
| redis | redis | < 5.0.14 | 5.0.14 |
| redis | redis | — | — |
| redis | redis | — | — |
| redis | redis | >= 0 < 5:6.0.16-1+deb11u1 | 5:6.0.16-1+deb11u1 |
| redis | redis | >= 0 < 5:6.0.16-1 | 5:6.0.16-1 |
| redis | redis | >= 0 < 5:6.0.16-1 | 5:6.0.16-1 |
| redis | redis | >= 0 < 5:6.0.16-1 | 5:6.0.16-1 |
| redis | redis | >= 0 < 2:2.8.4-2ubuntu0.2+esm2 | 2:2.8.4-2ubuntu0.2+esm2 |
| redis | redis | >= 0 < 2:3.0.6-1ubuntu0.4+esm1 | 2:3.0.6-1ubuntu0.4+esm1 |
| redis | redis | >= 0 < 5:4.0.9-1ubuntu0.2+esm3 | 5:4.0.9-1ubuntu0.2+esm3 |
| redis | redis | >= 0 < 5:5.0.7-2ubuntu0.1+esm1 | 5:5.0.7-2ubuntu0.1+esm1 |
| redis | redis | >= 5.0.0 < 5.0.14 | 5.0.14 |
| redis | redis | >= 6.0.0 < 6.0.16 | 6.0.16 |
| redis | redis | >= 6.2.0 < 6.2.6 | 6.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv8.8HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Redis vulnerabilities
vendor_ubuntu·2022-08-03·CVSS 5.4
CVE-2021-41099 [MEDIUM] Redis vulnerabilities
Title: Redis vulnerabilities
Summary: Several security issues were fixed in Redis.
It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2021-32626)
It was discovered that Redis incorrectly handled some malformed requests
when using Redis Lua Debugger. A remote attacker could possibly use this
issue to cause a denial of service or other unspecified impact. This issue
only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-32672)
It was discovered that Redis incorrectly handled certain Redis Standard
Protocol (RESP) requests. A remote attacker could possibly use this issue
to cause a denial of service. (CVE-2021-32675)
It was discovered t
Microsoft
DoS vulnerability in Redis
vendor_msrc·2021-10-12·CVSS 7.5
CVE-2021-32675 [HIGH] CWE-770 DoS vulnerability in Redis
DoS vulnerability in Redis
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/az
Red Hat
redis: Denial of service via Redis Standard Protocol (RESP) request
vendor_redhat·2021-10-04·CVSS 7.5
CVE-2021-32675 [HIGH] CWE-770 redis: Denial of service via Redis Standard Protocol (RESP) request
redis: Denial of service via Redis Standard Protocol (RESP) request
Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-se
Debian
CVE-2021-32675: redis - Redis is an open source, in-memory database that persists on disk. When parsing ...
vendor_debian·2021·CVSS 7.5
CVE-2021-32675 [HIGH] CVE-2021-32675: redis - Redis is an open source, in-memory database that persists on disk. When parsing ...
Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users f
OSV
redis vulnerabilities
osv·2022-08-03·CVSS 8.8
CVE-2021-32626 [HIGH] redis vulnerabilities
redis vulnerabilities
It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2021-32626)
It was discovered that Redis incorrectly handled some malformed requests
when using Redis Lua Debugger. A remote attacker could possibly use this
issue to cause a denial of service or other unspecified impact. This issue
only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-32672)
It was discovered that Redis incorrectly handled certain Redis Standard
Protocol (RESP) requests. A remote attacker could possibly use this issue
to cause a denial of service. (CVE-2021-32675)
It was discovered that Redis incorrectly handled some configuration
parameters wi
OSV
CVE-2021-32675: Redis is an open source, in-memory database that persists on disk
osv·2021-10-04·CVSS 7.5
CVE-2021-32675 [HIGH] CVE-2021-32675: Redis is an open source, in-memory database that persists on disk
Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users f
No detection rules found.
No public exploits indexed.
https://github.com/redis/redis/commit/5674b0057ff2903d43eaff802017eddf37c360f8https://github.com/redis/redis/security/advisories/GHSA-f6pw-v9gw-v64phttps://lists.apache.org/thread.html/ra603ff6e04549d7f290f61f9b11e2d2e4dba693b05ff053f4ec6bc47%40%3Cnotifications.geode.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/https://security.gentoo.org/glsa/202209-17https://security.netapp.com/advisory/ntap-20211104-0003/https://www.debian.org/security/2021/dsa-5001https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://github.com/redis/redis/commit/5674b0057ff2903d43eaff802017eddf37c360f8https://github.com/redis/redis/security/advisories/GHSA-f6pw-v9gw-v64phttps://lists.apache.org/thread.html/ra603ff6e04549d7f290f61f9b11e2d2e4dba693b05ff053f4ec6bc47%40%3Cnotifications.geode.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/https://security.gentoo.org/glsa/202209-17https://security.netapp.com/advisory/ntap-20211104-0003/https://www.debian.org/security/2021/dsa-5001https://www.oracle.com/security-alerts/cpuapr2022.html
2021-10-04
Published