CVE-2025-29923 — Improper Input Validation in Redis Go-redis V9

CWE-20 — Improper Input Validation9 documents6 sources

Severity

3.7LOWNVD

EPSS

0.0%

top 88.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Redis Go-redis V9 Redis Go-redis Debian Golang-github-go-redis-redis +15 more

Timeline

PublishedMar 20

Latest updateMar 26

Description

go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages18 packages

▶Gogithub.com/redis_go-redis_v99.7.0-beta.1 — 9.7.3+3

▶CVEListV5redis/go-redis>= 9.5.1, < 9.5.5, >= 9.6.0b1, < 9.6.3, >= 9.7.0-beta.1, < 9.7.3+2

▶debiandebian/golang-github-go-redis-redis

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

🔴Vulnerability Details

OSV

Potential out of order responses when CLIENT SETINFO times out during connection establishment in github.com/redis/go-redis↗2025-03-26

▶

GHSA

go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment↗2025-03-20

▶

OSV

go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment↗2025-03-20

▶

OSV

CVE-2025-29923: go-redis is the official Redis client library for the Go programming language↗2025-03-20

▶

📋Vendor Advisories

Red Hat

github.com/redis/go-redis: go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment↗2025-03-20

▶

Microsoft

go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment↗2025-03-11

▶

Debian

CVE-2025-29923: golang-github-go-redis-redis - go-redis is the official Redis client library for the Go programming language. P...↗2025

▶

Microsoft

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP ad↗2021-08-10

▶