CVE-2025-67733 — Injection in Valkey

CWE-74 — Injection CWE-170 — Improper Null Termination10 documents7 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 94.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Valkey-io Valkey Lfprojects Valkey Debian Redict +3 more

Timeline

PublishedFeb 23

Latest updateMar 18

Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages8 packages

▶debiandebian/valkey< valkey 8.1.4+dfsg1-2 (forky)

▶CVEListV5valkey-io/valkey< 7.2.12+3

▶NVDlfprojects/valkey8.0.0 — 8.0.7+3

▶Debianlfprojects/valkey< 8.1.1+dfsg1-3+deb13u2+1

▶Ubuntulfprojects/valkey< 7.2.12+dfsg1-0ubuntu0.1+1

🔴Vulnerability Details

OSV

valkey vulnerabilities↗2026-03-18

▶

OSV

CVE-2025-67733: Valkey is a distributed key-value database↗2026-02-23

▶

📋Vendor Advisories

Ubuntu

Valkey vulnerabilities↗2026-03-18

▶

Red Hat

Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts↗2026-02-23

▶

Microsoft

Valkey Affected by RESP Protocol Injection via Lua error_reply↗2026-02-10

▶

Debian

CVE-2025-67733: redict - Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0....↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27623 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-21863 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-67733 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶