CVE-2025-27151 — Improper Input Validation in Redis

CWE-20 — Improper Input Validation CWE-121 — Stack-based Buffer Overflow5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 49.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Lfprojects Valkey Debian Redict +3 more

Timeline

PublishedMay 29

Description

Redis is an open source, in-memory database that persists on disk. In versions starting from 7.0.0 to before 8.0.2, a stack-based buffer overflow exists in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and potentially achieve code execution. This issue has been patched in version 8.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

▶NVDredis/redis7.0.0 — 7.2.9+2

▶debiandebian/redis< redict 7.3.5+ds-1 (forky)

▶Debianredis/redis< 5:7.0.15-1~deb12u5+2

▶CVEListV5redis/redis>= 7.0.0, < 8.0.2

▶debiandebian/redict< redict 7.3.5+ds-1 (forky)

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-27151: Redis is an open source, in-memory database that persists on disk↗2025-05-29

▶

📋Vendor Advisories

Red Hat

redis: Redis Stack Buffer Overflow↗2025-05-29

▶

Microsoft

redis-check-aof may lead to stack overflow and potential RCE↗2025-05-13

▶

Debian

CVE-2025-27151: redict - Redis is an open source, in-memory database that persists on disk. In versions s...↗2025

▶