Brief introduction
CVE-2025-67733
A flaw in the Lua scripting error path allowed an authenticated user to embed CR/LF byte sequences in an error reply produced via redis.error_reply() or the Lua error() function. Because RESP uses CRLF as a frame delimiter, an injected sequence could be interpreted by the client as the start of an unrelated reply, allowing an attacker to inject arbitrary content into the response stream and tamper with data read by other commands on the same connection.
CVE-2026-21863
The cluster bus packet validation in clusterProcessPacket() did not verify that the gossip-section count and per-extension header declared by an incoming PING, PONG or MEET message actually fit within the received packet. A peer with access to the cluster bus port could send a specially crafted message whose declared lengths exceed the packet size, causing the server to read out of bounds and potentially crash, resulting in a denial of service.
https://security-tracker.debian.org/tracker/DSA-6279-1
Continue reading...
CVE-2025-67733
A flaw in the Lua scripting error path allowed an authenticated user to embed CR/LF byte sequences in an error reply produced via redis.error_reply() or the Lua error() function. Because RESP uses CRLF as a frame delimiter, an injected sequence could be interpreted by the client as the start of an unrelated reply, allowing an attacker to inject arbitrary content into the response stream and tamper with data read by other commands on the same connection.
CVE-2026-21863
The cluster bus packet validation in clusterProcessPacket() did not verify that the gossip-section count and per-extension header declared by an incoming PING, PONG or MEET message actually fit within the received packet. A peer with access to the cluster bus port could send a specially crafted message whose declared lengths exceed the packet size, causing the server to read out of bounds and potentially crash, resulting in a denial of service.
https://security-tracker.debian.org/tracker/DSA-6279-1
Continue reading...
