BIT-valkey-2025-67733

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/valkey/BIT-valkey-2025-67733.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-valkey-2025-67733

Aliases

CVE-2025-67733
GHSA-p876-p7q5-hv2m

Published

2026-02-26T08:53:18.978Z

Modified

2026-02-26T09:41:14.622014Z

Summary

Valkey Affected by RESP Protocol Injection via Lua error_reply

Details

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

Database specific

{
    "cpes": [
        "cpe:2.3:a:valkey-io:valkey:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / valkey

Package

Name: valkey
Purl: pkg:bitnami/valkey

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.2.12

Introduced

8.0.0

Fixed

8.0.7

Introduced

8.1.0

Fixed

8.1.6

Introduced

9.0.0

Fixed

9.0.2

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/valkey/BIT-valkey-2025-67733.json"