CVE-2025-62507 — Improper Input Validation in Redis

CWE-20 — Improper Input Validation CWE-121 — Stack-based Buffer Overflow CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

7.7HIGHNVD

EPSS

0.1%

top 71.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Debian Redis

Timeline

PublishedNov 4

Description

Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDredis/redis8.2.0 — 8.2.3

▶CVEListV5redis/redis>= 8.2.0, < 8.2.3

▶debiandebian/redis

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-62507: Redis is an open source, in-memory database that persists on disk↗2025-11-04

▶

📋Vendor Advisories

Red Hat

redis: Redis: Bug in XACKDEL may lead to stack overflow and potential RCE↗2025-11-04

▶

Debian

CVE-2025-62507: redis - Redis is an open source, in-memory database that persists on disk. In versions 8...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21863 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-67733 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶