CVE-2024-31228Uncontrolled Recursion in Redis

CWE-674Uncontrolled Recursion7 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
1.4%
top 19.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
RedisLfprojects ValkeyDebian Redict+10 more
Timeline
PublishedOct 7
Latest updateMar 5

Description

Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgr

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages16 packages

NVDredis/redis2.2.56.2.16+2
debiandebian/redis< redict 7.3.1+ds-1 (forky)
Debianredis/redis< 5:6.0.16-1+deb11u4+3
Ubunturedis/redis< 5:7.0.15-1ubuntu0.24.04.1+5
CVEListV5redis/redis>= 2.2.5, < 6.2.16, >= 7.0.0, < 7.2.6, >= 7.3.0, < 7.4.1+2

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
redis vulnerabilities2025-03-05
OSV
CVE-2024-31228: Redis is an open source, in-memory database that persists on disk2024-10-07

📋Vendor Advisories

4
Ubuntu
Redis vulnerabilities2025-03-05
Microsoft
Denial-of-service due to unbounded pattern matching in Redis2024-10-08
Red Hat
redis: Denial-of-service due to unbounded pattern matching in Redis2024-10-07
Debian
CVE-2024-31228: redict - Redis is an open source, in-memory database that persists on disk. Authenticated...2024
CVE-2024-31228 — Uncontrolled Recursion in Redis | cvebase