A series of vulnerabilities has been identified that affect all versions of Valkey. Below is the summary of each vulnerability:

The patches for these CVEs had been released in newer versions of valkey-server and valkey-bloom. Please consider upgrading to these versions as soon as possible:

  • valkey-server 9.0.3
  • valkey-server 8.1.6
  • valkey-server 8.0.7
  • valkey-server 7.2.12
  • valkey-bloom 1.0.1

If you cannot upgrade your Valkey deployments right now, please read on for mitigation steps for each of the reported CVEs

CVE-2025-67733: RESP Protocol Injection via Lua error_reply

Impact

A malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection.

Details

The error-handling code in Lua scripts does not properly handle null characters when returning error responses.

Affected Versions

This issue impacts all versions of Valkey before 9.0.2

Mitigation

You can mitigate this issue by using Valkey ACLs to restrict the EVAL, EVALSHA, and FCALL commands if your application doesn’t intend to use them.
For example, to prevent the user testuser1 from executing said commands:

We can then verify that testuser1 cannot execute these commands:

Fixed Version

  • Valkey 9.0.2
  • Valkey 8.1.6
  • Valkey 8.0.7
  • Valkey 7.2.12

CVE-2026-21864: Remote DoS from malformed RESTORE command

Impact

A specially crafted RESTORE command can cause Valkey to trigger an assertion, leading the server to shut down.

Details

Valkey modules must handle errors in RDB parsing by using the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag. If this flag is not set, parsing errors result in a system assertion that shuts down the server. Even though the valkey-bloom module correctly handled the parsing of invalid RDB data, it did not set the flag.

Affected Versions

This issue impacts all versions of valkey-bloom and valkey-bundle and any custom module that uses custom data types but doesn’t declare the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS option.

Mitigation

You can mitigate this issue by using Valkey ACLs to restrict the RESTORE command if your application doesn’t intend to use them.
For example, to prevent the user testuser1 from executing said command:

We can then verify that testuser1 cannot execute RESTORE:

Fixed Version

  • valkey-bloom 1.0.1

CVE-2026-21863: Remote DoS with malformed Valkey Cluster bus message

Impact

A malicious actor with access to the Valkey cluster bus port can send an invalid packet that may cause an out-of-bounds read, resulting in the Valkey process being terminated.

Details

The Valkey cluster bus packet processing code does not validate that a cluster bus PING extension packet is present in the buffer before attempting to read it. Attempting to read memory outside the process’s allocated memory can crash the server.

Affected Versions

This issue impacts all versions of Valkey before 9.0.3

Mitigation

We recommend that the cluster bus port never be exposed to end users and that it be protected by its own network ACLs.

Fixed Version

  • Valkey 9.0.3
  • Valkey 8.1.6
  • Valkey 8.0.7
  • Valkey 7.2.12

CVE-2026-27623: Pre-Authentication DOS from malformed RESP request

Impact

A malicious actor with network access to Valkey can cause the system to abort by triggering an assertion.

Details

When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server-side invariants, causing the server to shut down.

Affected Versions

This issue impacts all Valkey 9.0.x versions before 9.0.3

Mitigation

Your Valkey deployments should be properly isolated and configured to limit access.

Fixed Version

  • Valkey 9.0.3
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments