CVE-2023-28858 Overview
CVE-2023-28858 is a data leakage vulnerability in the redis-py Python client library that affects versions before 4.5.3. The vulnerability occurs when an async Redis command is canceled at an inopportune time, leaving a connection open and potentially sending response data to an unrelated request in an off-by-one manner. This issue gained significant attention after being linked to a ChatGPT outage, where the flaw could have exposed user data across different sessions.
Critical Impact
Data leakage across AsyncIO connections may expose sensitive information from one user's Redis response to unrelated client requests, potentially compromising data confidentiality in multi-user applications.
Affected Products
- redis-py versions prior to 4.3.6
- redis-py versions 4.4.x prior to 4.4.3
- redis-py versions 4.5.x prior to 4.5.3
Discovery Timeline
- 2023-03-26 - CVE-2023-28858 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-28858
Vulnerability Analysis
This vulnerability is classified as CWE-193 (Off-by-one Error), affecting the redis-py library's handling of asynchronous Redis connections. When an async Redis command is canceled during a specific timing window, the underlying connection is not properly closed or cleaned up. This leaves the connection in an inconsistent state where response data intended for the canceled request may be delivered to a subsequent, unrelated request.
The flaw is particularly concerning in high-concurrency environments where multiple clients share connection pools. In such scenarios, the off-by-one error in response handling can result in one client receiving data that belongs to another client's Redis query, creating a cross-session data leakage condition.
This vulnerability was notably connected to a ChatGPT service outage where the issue manifested in a production environment.
Root Cause
The root cause stems from improper connection state management during asynchronous operation cancellation in redis-py's AsyncIO implementation. When a Redis command is canceled mid-execution, the library fails to properly reset or close the connection, leaving residual state that causes response data misrouting. The off-by-one error in the response handling logic means that the next client to use that connection may receive the previous client's response data instead of their own.
Attack Vector
The attack vector is network-based, though exploitation requires specific timing conditions to occur naturally or be induced:
- An attacker or legitimate user initiates an async Redis command
- The command is canceled at a precise moment during execution
- The connection remains open with pending response data
- A subsequent unrelated request uses the same connection from the pool
- The new request receives the response data from the canceled operation instead of its own query results
This vulnerability does not require authentication and can be triggered without user interaction, though the high attack complexity means successful exploitation depends on specific race conditions being met. The impact is limited to confidentiality exposure of cached data.
Detection Methods for CVE-2023-28858
Indicators of Compromise
- Unexpected data appearing in Redis responses that doesn't match the issued query
- Application logs showing data inconsistencies or type mismatches in Redis responses
- User reports of seeing other users' cached data in multi-tenant applications
- Anomalous connection pool behavior with connections not being properly recycled
Detection Strategies
- Monitor application logs for Redis response validation failures or unexpected data types
- Implement Redis response integrity checks that validate returned data matches expected schemas
- Audit Python dependencies to identify vulnerable redis-py versions using tools like pip-audit or safety
- Deploy application-level data validation to detect cross-request data contamination
Monitoring Recommendations
- Enable detailed logging for Redis AsyncIO operations to track connection lifecycle events
- Monitor connection pool metrics for connections stuck in abnormal states
- Set up alerts for data validation failures in Redis response handlers
- Implement distributed tracing to correlate Redis requests with their responses across the application stack
How to Mitigate CVE-2023-28858
Immediate Actions Required
- Upgrade redis-py to version 4.3.6, 4.4.3, or 4.5.3 or later immediately
- Review applications for async Redis usage patterns that may be affected
- Consider temporarily disabling connection pooling in affected applications if immediate patching is not possible
- Audit application logs for any signs of data leakage that may have occurred
Patch Information
The Redis team has released patched versions that address this vulnerability by fixing the connection handling behavior for pipeline operations. The following version comparisons show the security fixes:
The fix is implemented in Pull Request #2641. Note that CVE-2023-28859 addresses additional data leakage issues across AsyncIO connections more broadly.
Workarounds
- Disable async Redis operations and use synchronous clients as a temporary measure
- Implement application-level data validation to detect and reject misrouted responses
- Reduce connection pool sizes to minimize the window for cross-request data exposure
- Add request-specific identifiers to Redis queries and validate them in responses to detect data mismatches
# Upgrade redis-py to patched version
pip install --upgrade redis>=4.5.3
# Verify installed version
pip show redis | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
