cbcvebase.
CVE-2025-32023
published 2025-07-07

CVE-2025-32023: Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a…

PriorityP356high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.88%
88.9th percentile
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.

Affected

21 ranges
VendorProductVersion rangeFixed in
debianredict< redict 7.3.5+ds-1 (forky)redict 7.3.5+ds-1 (forky)
debianredis< redict 7.3.5+ds-1 (forky)redict 7.3.5+ds-1 (forky)
debianvalkey< redict 7.3.5+ds-1 (forky)redict 7.3.5+ds-1 (forky)
lfprojectsvalkey>= 0 < 8.1.1+dfsg1-38.1.1+dfsg1-3
lfprojectsvalkey>= 0 < 8.1.1+dfsg1-38.1.1+dfsg1-3
msrcazl3_valkey_8.0.3-3_on_azure_linux_3.0
msrcazl3_valkey_8.0.4-1_on_azure_linux_3.0
msrccbl2_redis_6.2.18-1_on_cbl_mariner_2.0
msrccbl2_redis_6.2.18-2_on_cbl_mariner_2.0
redisredis
redisredis
redisredis
redisredis
redisredis>= 0 < 5:6.0.16-1+deb11u75:6.0.16-1+deb11u7
redisredis>= 0 < 5:7.0.15-1~deb12u55:7.0.15-1~deb12u5
redisredis>= 0 < 5:8.0.2-25:8.0.2-2
redisredis>= 0 < 5:8.0.2-25:8.0.2-2
redisredis>= 2.8.0 < 6.2.196.2.19
redisredis>= 7.2.0 < 7.2.107.2.10
redisredis>= 7.4.0 < 7.4.57.4.5
redisredis>= 8.0.0 < 8.0.38.0.3

Detection & IOCsextracted from sources · hover to see the quote

commandPFCOUNT <key> <key>
bytes
HYLL (HyperLogLog magic header)
bytes
HLL_SPARSE encoding type byte (0x01) following HYLL magic
bytes
xzero(0x4000) * 0x20000 overflow pattern in HLL payload
  • Monitor Redis for PFCOUNT or other HyperLogLog commands (PFADD, PFMERGE) issued against keys containing a raw binary blob starting with the 'HYLL' magic header — this is the trigger pattern for CVE-2025-32023 exploitation.
  • Alert on Redis SET commands that store a value beginning with the 4-byte magic 'HYLL' followed by a sparse encoding byte, especially when the payload is abnormally large (indicative of the overflow-inducing xzero run pattern).
  • Detect exploitation attempts by looking for integer overflow conditions in HyperLogLog operations: an authenticated user sending a specially crafted string that triggers a stack/heap out-of-bounds write.
  • Use Redis ACL to block HLL commands (PFADD, PFCOUNT, PFMERGE) for untrusted/unprivileged users as a detection-in-depth control; unexpected use of these commands by low-privilege accounts should be alerted on.
  • ·Exploitation requires an authenticated Redis session; unauthenticated attackers cannot trigger this vulnerability directly.
  • ·All Redis versions from 2.8 onward with HyperLogLog operations are affected; patched versions are 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
  • ·The exploit PoC targets Redis 8.0.2 specifically but the vulnerability class affects a wide range of versions; version-based detection alone is insufficient.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.