CVE-2025-48367

Name	CVE-2025-48367
Description	Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4240-1, DSA-5969-1
Debian Bugs	1108980, 1108981, 1108982

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
redict (PTS)	forky, sid	7.3.6+ds-1	fixed
redis (PTS)	bullseye	5:6.0.16-1+deb11u2	vulnerable
	bullseye (security)	5:6.0.16-1+deb11u8	fixed
	bookworm	5:7.0.15-1~deb12u5	fixed
	bookworm (security)	5:7.0.15-1~deb12u6	fixed
	trixie	5:8.0.2-3	fixed
	trixie (security)	5:8.0.2-3+deb13u1	fixed
	forky, sid	5:8.0.4-1	fixed
valkey (PTS)	trixie	8.1.1+dfsg1-3	fixed
	trixie (security)	8.1.1+dfsg1-3+deb13u1	fixed
	forky, sid	8.1.4+dfsg1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
redict	source	(unstable)	7.3.5+ds-1		1108980
redis	source	bullseye	5:6.0.16-1+deb11u7	DLA-4240-1
redis	source	bookworm	5:7.0.15-1~deb12u5	DSA-5969-1
redis	source	(unstable)	5:8.0.2-2		1108981
valkey	source	(unstable)	8.1.1+dfsg1-3		1108982

Notes

https://codeberg.org/redict/redict/issues/105
https://github.com/redis/redis/security/advisories/GHSA-4q32-c38c-pwgq
Fixed by: https://github.com/redis/redis/commit/bde62951accfc4bb0a516276fd0b4b307e140ce2 (8.0.3)
https://github.com/valkey-io/valkey/pull/2315
Fixed by: https://github.com/valkey-io/valkey/commit/cb10d9d78f35945b667e46967b3980e89954d73b