CVE-2025-46686

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-46686
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46686.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-46686
Aliases
Downstream
Related
Published
2025-07-23T19:15:33.133Z
Modified
2026-04-10T05:28:30.274428Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model.

References

Affected packages

Git / github.com/redis/redis

Affected ranges

Type
GIT
Repo
https://github.com/redis/redis
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b49d5c0cf4e96a277d4b4e98f61d10c792b37003
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0.3"
        }
    ]
}

Affected versions

1.*
1.3.6
2.*
2.2-alpha0
2.2-alpha1
2.2-alpha2
2.2-alpha3
2.2-alpha4
2.2-alpha5
2.2-alpha6
2.2.0-rc1
2.3-alpha0
8.*
8.0-m01
8.0-m02
8.0-m03
8.0-m04
8.0-m04-int
8.0-rc1
8.0-rc1-int
8.0-rc1-int2
8.0-rc2-int
8.0.0
8.0.1
8.0.1-int
8.0.2
8.0.3
v1.*
v1.3.10
v1.3.11
v1.3.7
v1.3.8
v1.3.9
v2.*
v2.0.0-rc1
v2.1.1-watch
Other
vm-playpen

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46686.json"