CVE-2023-28856 Overview
CVE-2023-28856 is a Denial of Service vulnerability affecting Redis, the popular open source, in-memory database that persists on disk. Authenticated users can exploit the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access in affected versions. This vulnerability allows low-privileged authenticated attackers to disrupt service availability through specially crafted commands.
Critical Impact
Authenticated attackers can crash Redis servers by creating invalid hash fields using the HINCRBYFLOAT command with NaN or Infinity values, causing complete service disruption.
Affected Products
- Redis versions prior to 7.0.11
- Redis versions prior to 6.2.12
- Redis versions prior to 6.0.19
- Debian Linux 10.0
- Fedora 36, 37, and 38
Discovery Timeline
- April 18, 2023 - CVE-2023-28856 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-28856
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) and reachable assertion (CWE-617) in the Redis HINCRBYFLOAT command handler. The vulnerability allows authenticated users to provide specially crafted floating-point values that, when processed, create invalid hash fields within the Redis data structure. When these corrupted hash fields are subsequently accessed, the Redis server crashes, resulting in a complete denial of service condition.
The attack requires network access and valid authentication credentials, but the complexity of exploitation is low. Once authenticated, an attacker can reliably trigger the crash condition with minimal effort, making this a significant availability concern for Redis deployments.
Root Cause
The root cause lies in insufficient validation of floating-point increment values in the HINCRBYFLOAT command handler. Specifically, the code failed to check for special IEEE 754 floating-point values such as NaN (Not a Number) and Infinity before creating or modifying hash fields. When these invalid values were stored and later accessed, the Redis server would encounter an assertion failure and crash.
Attack Vector
The attack vector is network-based and requires authentication. An attacker with valid Redis credentials can connect to the server and issue a HINCRBYFLOAT command with a NaN or Infinity value as the increment parameter. This creates a corrupted hash field that will crash the server when accessed by any subsequent operation.
// Security patch from src/t_hash.c - fix hincrbyfloat not to create a key if the new value is invalid (#11149)
unsigned int vlen;
if (getLongDoubleFromObjectOrReply(c,c->argv[3],&incr,NULL) != C_OK) return;
+ if (isnan(incr) || isinf(incr)) {
+ addReplyError(c,"value is NaN or Infinity");
+ return;
+ }
if ((o = hashTypeLookupWriteOrCreate(c,c->argv[1])) == NULL) return;
if (hashTypeGetValue(o,c->argv[2]->ptr,&vstr,&vlen,&ll) == C_OK) {
if (vstr) {
Source: GitHub Redis Commit Update
Detection Methods for CVE-2023-28856
Indicators of Compromise
- Unexpected Redis server crashes or restarts in application logs
- Redis error logs containing assertion failures related to hash field operations
- Presence of HINCRBYFLOAT commands with unusual floating-point values in Redis command logs
- Client connections attempting multiple HINCRBYFLOAT operations in rapid succession
Detection Strategies
- Monitor Redis slow logs and command logs for HINCRBYFLOAT commands with NaN or Infinity values
- Implement application-level logging to track all HINCRBYFLOAT command usage patterns
- Deploy Redis version detection tools to identify unpatched instances across your infrastructure
- Use SentinelOne's Singularity Platform to detect anomalous process termination patterns on Redis servers
Monitoring Recommendations
- Enable Redis ACL LOG to track authentication and command execution events
- Configure alerting for unexpected Redis process terminations or restart events
- Monitor Redis uptime metrics for unusual patterns indicating repeated crashes
- Review network traffic to Redis instances for suspicious command patterns
How to Mitigate CVE-2023-28856
Immediate Actions Required
- Upgrade Redis to patched versions: 7.0.11, 6.2.12, or 6.0.19 immediately
- Review and restrict Redis authentication to minimize the pool of users who could potentially exploit this vulnerability
- Implement network segmentation to limit access to Redis instances from trusted sources only
- Enable Redis ACLs to restrict which authenticated users can execute the HINCRBYFLOAT command
Patch Information
Redis has addressed this vulnerability in versions 7.0.11, 6.2.12, and 6.0.19. The fix adds validation to check for NaN and Infinity values in the increment parameter before processing the HINCRBYFLOAT command. Users should upgrade to these versions or later as soon as possible. The security patch is available through the GitHub Redis Pull Request and detailed in the GitHub Security Advisory GHSA-hjv8-vjf6-wcr6.
Distribution-specific patches are available:
- Debian LTS Security Announcement
- Fedora packages updated for Fedora 36, 37, and 38
Workarounds
- There are no known workarounds for this issue according to the vendor advisory
- As a temporary measure, restrict HINCRBYFLOAT command access using Redis ACLs until patching is possible
- Implement network-level access controls to limit which clients can connect to Redis instances
- Consider deploying Redis behind a proxy that can filter potentially malicious commands
# Example: Restrict HINCRBYFLOAT command using Redis ACL
# Create a user with limited command access (requires Redis 6.0+)
ACL SETUSER limited_user on >password ~keys:* -HINCRBYFLOAT +@all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
