INFSA-2025:11401: valkey security update
Information about definition
Identificator: INFSA-2025:11401
Type: security
Release date: 2025-07-25 11:08:37 UTC
Information about package
Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Valkey works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Valkey also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Valkey behave like a cache. You can use Valkey from most programming languages also.
Vulnerabilities description
- CVE-2025-32023
Redis could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in hyperloglog commands.
- CVE-2025-48367
Redis is vulnerable to a denial of service, caused by a bad connection error handling.
- CVE-2025-27151
Redis is vulnerable to a denial of service, caused by a stack-based buffer overflow in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and possibly achieve code execution.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-27151
|
no information | 2.5 | no information |
|
NIST — CVE-2025-32023
|
no information | 7.0 | no information |
|
NIST — CVE-2025-48367
|
no information | 5.3 | no information |
Updated packages