CVE-2023-28425 Overview
CVE-2023-28425 is a Denial of Service vulnerability affecting Redis, the popular in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can exploit the MSETNX command to trigger a runtime assertion failure, resulting in abrupt termination of the Redis server process. This vulnerability allows attackers with valid authentication credentials to crash the database server, causing service disruption for all dependent applications.
Critical Impact
Authenticated attackers can crash Redis servers by triggering a runtime assertion through the MSETNX command, leading to complete service unavailability and potential data loss for applications relying on the database.
Affected Products
- Redis versions 7.0.8 through 7.0.9
- Redis Redis (all distributions within the vulnerable version range)
- Systems running vulnerable Redis versions as caching or database backends
Discovery Timeline
- 2023-03-20 - CVE-2023-28425 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-28425
Vulnerability Analysis
This vulnerability is classified under CWE-617 (Reachable Assertion) and CWE-77 (Command Injection). The core issue lies in how Redis handles the MSETNX command under specific conditions. When an authenticated user sends a specially crafted MSETNX command, the server encounters a condition that triggers a runtime assertion check. When this assertion fails, the Redis server process terminates immediately rather than handling the error gracefully.
The MSETNX command is designed to set multiple keys to their respective values only if none of the keys already exist. However, the vulnerable code path contains an assertion that can be reached through normal command execution, violating the principle that assertions should only fail due to programming errors, not user input.
Root Cause
The root cause of this vulnerability is an improper assertion placement in the MSETNX command handler within Redis versions 7.0.8 and 7.0.9. The assertion was intended as a debugging aid during development but remained in the production code where it could be triggered by authenticated users through legitimate command usage patterns. When the assertion condition evaluates to false, the C runtime calls abort(), immediately terminating the Redis server process without graceful shutdown procedures.
Attack Vector
The attack vector requires local access and authenticated credentials to the Redis server. An attacker with valid Redis authentication can exploit this vulnerability by:
- Connecting to the Redis server with valid credentials
- Sending a specially crafted MSETNX command that triggers the assertion failure
- Causing the Redis server process to terminate abruptly
The vulnerability manifests in the MSETNX command processing logic. When certain input conditions are met, the server reaches an assertion that was not intended to be reachable through normal operation. The assertion failure causes an immediate process termination via abort(). For detailed technical information about the specific fix, see the GitHub security advisory and the commit that resolved this issue.
Detection Methods for CVE-2023-28425
Indicators of Compromise
- Unexpected Redis server process terminations without corresponding error logs
- Presence of core dump files indicating assertion failures in the Redis binary
- Redis service restart events correlating with specific client connections
- Log entries showing MSETNX commands preceding server crashes
Detection Strategies
- Monitor Redis server process stability and track unexpected terminations
- Implement alerting on Redis service restarts that occur outside maintenance windows
- Audit Redis command logs for unusual MSETNX command patterns from specific clients
- Deploy application-level monitoring to detect database connectivity failures
Monitoring Recommendations
- Configure process monitoring to detect Redis server crashes and automatic restart frequency
- Enable Redis command logging to capture all MSETNX operations for forensic analysis
- Set up real-time alerts for Redis service availability drops
- Monitor system logs for assertion failure messages associated with the Redis process
How to Mitigate CVE-2023-28425
Immediate Actions Required
- Upgrade Redis to version 7.0.10 or later immediately
- Audit current Redis deployment versions across all environments
- Review authentication logs to identify potentially malicious authenticated sessions
- Implement network segmentation to limit access to Redis instances
Patch Information
The vulnerability is fixed in Redis version 7.0.10. The fix is available through the official Redis release. The patch modifies the assertion handling to prevent user-triggered crashes while maintaining appropriate error handling for the MSETNX command.
Additional vendor advisories are available from NetApp Security Advisory NTAP-20230413-0005.
Workarounds
- Restrict Redis authentication to trusted users and services only until patching is complete
- Implement network-level access controls to limit connectivity to Redis servers
- Monitor and rate-limit MSETNX command usage as a temporary measure
- Consider deploying Redis in a high-availability configuration to minimize downtime impact from potential crashes
# Verify Redis version and upgrade if vulnerable
redis-server --version
# If running version 7.0.8 or 7.0.9, upgrade to 7.0.10 or later
# Example for systems using package managers:
# apt-get update && apt-get install redis-server
# yum update redis
# Alternatively, compile from source:
# wget https://github.com/redis/redis/archive/refs/tags/7.0.10.tar.gz
# tar xzf 7.0.10.tar.gz
# cd redis-7.0.10
# make && make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
