CVE-2025-32023
published 2025-07-07CVE-2025-32023: Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a…
PriorityP356high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.88%
88.9th percentile
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | redict | < redict 7.3.5+ds-1 (forky) | redict 7.3.5+ds-1 (forky) |
| debian | redis | < redict 7.3.5+ds-1 (forky) | redict 7.3.5+ds-1 (forky) |
| debian | valkey | < redict 7.3.5+ds-1 (forky) | redict 7.3.5+ds-1 (forky) |
| lfprojects | valkey | >= 0 < 8.1.1+dfsg1-3 | 8.1.1+dfsg1-3 |
| lfprojects | valkey | >= 0 < 8.1.1+dfsg1-3 | 8.1.1+dfsg1-3 |
| msrc | azl3_valkey_8.0.3-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_valkey_8.0.4-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_redis_6.2.18-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_redis_6.2.18-2_on_cbl_mariner_2.0 | — | — |
| redis | redis | — | — |
| redis | redis | — | — |
| redis | redis | — | — |
| redis | redis | — | — |
| redis | redis | >= 0 < 5:6.0.16-1+deb11u7 | 5:6.0.16-1+deb11u7 |
| redis | redis | >= 0 < 5:7.0.15-1~deb12u5 | 5:7.0.15-1~deb12u5 |
| redis | redis | >= 0 < 5:8.0.2-2 | 5:8.0.2-2 |
| redis | redis | >= 0 < 5:8.0.2-2 | 5:8.0.2-2 |
| redis | redis | >= 2.8.0 < 6.2.19 | 6.2.19 |
| redis | redis | >= 7.2.0 < 7.2.10 | 7.2.10 |
| redis | redis | >= 7.4.0 < 7.4.5 | 7.4.5 |
| redis | redis | >= 8.0.0 < 8.0.3 | 8.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
HYLL (HyperLogLog magic header)
bytes↗
HLL_SPARSE encoding type byte (0x01) following HYLL magic
bytes↗
xzero(0x4000) * 0x20000 overflow pattern in HLL payload
- →Monitor Redis for PFCOUNT or other HyperLogLog commands (PFADD, PFMERGE) issued against keys containing a raw binary blob starting with the 'HYLL' magic header — this is the trigger pattern for CVE-2025-32023 exploitation. ↗
- →Alert on Redis SET commands that store a value beginning with the 4-byte magic 'HYLL' followed by a sparse encoding byte, especially when the payload is abnormally large (indicative of the overflow-inducing xzero run pattern). ↗
- →Detect exploitation attempts by looking for integer overflow conditions in HyperLogLog operations: an authenticated user sending a specially crafted string that triggers a stack/heap out-of-bounds write. ↗
- →Use Redis ACL to block HLL commands (PFADD, PFCOUNT, PFMERGE) for untrusted/unprivileged users as a detection-in-depth control; unexpected use of these commands by low-privilege accounts should be alerted on. ↗
- ·Exploitation requires an authenticated Redis session; unauthenticated attackers cannot trigger this vulnerability directly. ↗
- ·All Redis versions from 2.8 onward with HyperLogLog operations are affected; patched versions are 8.0.3, 7.4.5, 7.2.10, and 6.2.19. ↗
- ·The exploit PoC targets Redis 8.0.2 specifically but the vulnerability class affects a wide range of versions; version-based detection alone is insufficient. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Redis vulnerability
vendor_ubuntu·2026-03-24
CVE-2025-32023 Redis vulnerability
Title: Redis vulnerability
Summary: Redis could be made to crash or run programs if it received specially
crafted network traffic.
Seunghyun Lee discovered that Redis incorrectly handled memory during
hyperloglog operations. An attacker could use this issue to cause a denial
of service, or possibly achieve remote code execution.
Instructions: After a standard system update you need to restart redis to make all the
necessary changes.
Microsoft
Redis allows out of bounds writes in hyperloglog commands leading to RCE
vendor_msrc·2025-07-08·CVSS 7.0
CVE-2025-32023 [HIGH] CWE-680 Redis allows out of bounds writes in hyperloglog commands leading to RCE
Redis allows out of bounds writes in hyperloglog commands leading to RCE
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
R
Red Hat
redis: Redis Hyperloglog Out-of-Bounds Write Vulnerability
vendor_redhat·2025-07-07·CVSS 7.0
CVE-2025-32023 [HIGH] CWE-787 redis: Redis Hyperloglog Out-of-Bounds Write Vulnerability
redis: Redis Hyperloglog Out-of-Bounds Write Vulnerability
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
A flaw was found in Redis. This flaw allows an authenticated user to trigger an integer ove
Debian
CVE-2025-32023: redict - Redis is an open source, in-memory database that persists on disk. From 2.8 to b...
vendor_debian·2025·CVSS 7.0
CVE-2025-32023 [HIGH] CVE-2025-32023: redict - Redis is an open source, in-memory database that persists on disk. From 2.8 to b...
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
Scope: local
forky: resolved (fixed in 7.3.5+ds-1)
sid: resolved (fixed in 7.3.5+ds-1)
OSV
CVE-2025-32023: Redis is an open source, in-memory database that persists on disk
osv·2025-07-07·CVSS 7.8
CVE-2025-32023 [HIGH] CVE-2025-32023: Redis is an open source, in-memory database that persists on disk
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
No detection rules found.
https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445https://github.com/redis/redis/releases/tag/6.2.19https://github.com/redis/redis/releases/tag/7.2.10https://github.com/redis/redis/releases/tag/7.4.5https://github.com/redis/redis/releases/tag/8.0.3https://github.com/redis/redis/security/advisories/GHSA-rp2m-q4j6-gr43https://www.exploit-db.com/exploits/52477
2025-07-07
Published