Vulnerability Description
Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redis | Redis | >= 8.2.0, < 8.2.3 |
Related Weaknesses (CWE)
References
- https://github.com/redis/redis/commit/5f83972188f6e5b1d6f1940218c650a9cbdf7741Patch
- https://github.com/redis/redis/releases/tag/8.2.3Release Notes
- https://github.com/redis/redis/security/advisories/GHSA-jhjx-x4cf-4vm8Vendor Advisory
FAQ
What is CVE-2025-62507?
CVE-2025-62507 is a vulnerability with a CVSS score of 8.8 (HIGH). Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may pot...
How severe is CVE-2025-62507?
CVE-2025-62507 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-62507?
Check the references section above for vendor advisories and patch information. Affected products include: Redis Redis.