CVE-2023-25155 Overview
CVE-2023-25155 is an integer overflow vulnerability affecting Redis, the popular in-memory database that persists on disk. Authenticated users can exploit this flaw by issuing specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands that trigger an integer overflow condition. This results in a runtime assertion failure and immediate termination of the Redis server process, causing a denial of service condition.
Critical Impact
Authenticated attackers can crash Redis server instances by exploiting integer overflow conditions in random element selection commands, causing service disruption.
Affected Products
- Redis versions prior to 6.0.18
- Redis versions prior to 6.2.11
- Redis versions prior to 7.0.9
Discovery Timeline
- 2023-03-02 - CVE-2023-25155 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-25155
Vulnerability Analysis
This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The flaw exists in the handling of count parameters passed to Redis random element selection commands, specifically SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD. When authenticated users provide specially crafted numeric values to these commands, the server fails to properly validate the input boundaries, allowing integer overflow conditions to occur.
The vulnerability is exploitable over the network and requires low attack complexity once an attacker has valid authentication credentials. While the flaw does not impact confidentiality or integrity, it provides a reliable mechanism for attackers to terminate Redis server processes, resulting in complete availability loss for dependent applications.
Root Cause
The root cause lies in insufficient input validation when processing the count parameter for random element selection commands. The original implementation used getLongFromObjectOrReply() which did not enforce proper boundary checks on the input values. Additionally, the boundary validation logic used LONG_MIN/2 as a lower bound, which could still result in integer overflow conditions when combined with certain operations.
Attack Vector
The attack requires authenticated access to a Redis instance. An attacker with valid credentials can send malformed commands with carefully selected numeric parameters that, when processed by the vulnerable functions, cause the count value to overflow. This triggers a runtime assertion within the Redis server, leading to immediate process termination and service disruption.
// Vulnerable code in src/t_hash.c (before patch)
// Source: https://github.com/redis/redis/commit/2a2a582e7cd99ba3b531336b8bd41df2b566e619
listpackEntry ele;
if (c->argc >= 3) {
- if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+ if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
addReplyErrorObject(c,shared.syntaxerr);
return;
} else if (c->argc == 4) {
withvalues = 1;
- if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+ if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
addReplyError(c,"value is out of range");
return;
}
The fix replaces getLongFromObjectOrReply() with getRangeLongFromObjectOrReply() to enforce proper input bounds, and corrects the boundary check from LONG_MIN/2 to -LONG_MAX/2.
Detection Methods for CVE-2023-25155
Indicators of Compromise
- Unexpected Redis server crashes or restarts without clear cause
- Redis logs showing assertion failures in command processing
- Unusual SRANDMEMBER, ZRANDMEMBER, or HRANDFIELD commands with extreme numeric values
- Repeated authentication attempts followed by server termination
Detection Strategies
- Monitor Redis server logs for assertion failure messages and unexpected terminations
- Implement command auditing to track usage of SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands
- Configure alerting on Redis process crashes or abnormal restarts
- Review authentication logs for suspicious access patterns preceding service disruptions
Monitoring Recommendations
- Deploy application performance monitoring to detect Redis availability degradation
- Enable Redis command logging in controlled environments to capture exploit attempts
- Set up automated health checks that alert on Redis instance unavailability
- Monitor system logs for signals of repeated process terminations on Redis ports
How to Mitigate CVE-2023-25155
Immediate Actions Required
- Upgrade Redis to patched versions: 6.0.18, 6.2.11, or 7.0.9 or later
- Review and restrict Redis authentication credentials to trusted clients only
- Implement network segmentation to limit access to Redis instances
- Enable Redis ACLs to restrict which users can execute random element commands
Patch Information
Redis has released patches addressing this vulnerability in the following versions:
The security fix is documented in the GitHub Security Advisory GHSA-x2r7-j9vw-3w83 and the commit 2a2a582.
Workarounds
- Use Redis ACLs to disable or restrict access to SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands for untrusted users
- Implement application-level input validation before passing count parameters to Redis
- Place Redis instances behind authentication proxies that can filter malicious commands
- Deploy Redis behind a firewall and restrict network access to trusted clients only
# Example Redis ACL configuration to restrict dangerous commands
# Add to redis.conf or use ACL SETUSER command
# Create a restricted user that cannot use RAND commands
ACL SETUSER restricted_user on >password ~* +@all -SRANDMEMBER -ZRANDMEMBER -HRANDFIELD
# Verify ACL configuration
redis-cli ACL LIST
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
