CVE-2023-28859 Overview
CVE-2023-28859 is an information leakage vulnerability in redis-py, the popular Python client library for Redis. The vulnerability affects versions before 4.4.4 and 4.5.x before 4.5.4. When an asynchronous Redis command is canceled at an inopportune time, the library fails to properly close the connection, potentially allowing response data to be sent to the client of an unrelated request. This issue specifically impacts AsyncIO connections and can occur during non-pipeline operations.
Critical Impact
Sensitive data from one Redis operation may inadvertently leak to unrelated client requests due to improper connection cleanup, potentially exposing confidential information across different user sessions or application contexts.
Affected Products
- redis-py versions before 4.4.4
- redis-py versions 4.5.x before 4.5.4
- Applications using AsyncIO Redis connections with the affected library versions
Discovery Timeline
- March 26, 2023 - CVE-2023-28859 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-28859
Vulnerability Analysis
This vulnerability stems from improper resource cleanup (CWE-459) in the redis-py library's AsyncIO implementation. When an asynchronous Redis command is canceled—such as through a timeout or explicit cancellation—the underlying connection is not properly closed or reset. This leaves the connection in an inconsistent state where response data from one request can be erroneously routed to a completely different client request.
The issue is particularly concerning in multi-tenant applications or services handling requests from multiple users, where data isolation is critical. An attacker or unrelated user could potentially receive sensitive data intended for another party without any active exploitation—the vulnerability can trigger through normal application behavior when request cancellations occur.
Root Cause
The root cause is classified as CWE-459 (Incomplete Cleanup). The redis-py library's AsyncIO connection handling does not properly clean up connection state when a Redis command is canceled. Specifically, when an async operation is interrupted, the connection remains open and in an indeterminate state. The next request that uses this connection may then receive the response data that was originally intended for the canceled request, leading to cross-request data contamination.
Attack Vector
The vulnerability is exploitable over the network. An attacker with low privileges (authenticated access to the application) could potentially exploit this vulnerability to gain access to sensitive information from other users' Redis operations. The attack does not require user interaction and can occur passively when the race condition between request cancellation and response delivery manifests.
The exploitation scenario involves:
- A legitimate user initiates an async Redis command
- The command is canceled (timeout, application logic, or explicit cancellation)
- The connection remains open with pending response data
- A subsequent unrelated request receives the orphaned response data
This can expose cached session data, authentication tokens, user preferences, or any other information stored in Redis.
Detection Methods for CVE-2023-28859
Indicators of Compromise
- Unexpected data appearing in Redis responses that doesn't match the requested keys
- Application logs showing data type mismatches or deserialization errors from Redis responses
- User reports of seeing other users' data or receiving incorrect cached information
- Elevated rates of async task cancellations in application monitoring
Detection Strategies
- Implement application-level validation to verify that Redis responses match expected data formats and request contexts
- Monitor for anomalous patterns in Redis connection pool behavior, particularly connection reuse after cancellations
- Review application logs for Redis-related errors that may indicate response/request mismatches
- Audit dependency manifests to identify vulnerable redis-py versions across all services
Monitoring Recommendations
- Enable detailed logging for AsyncIO task cancellations involving Redis operations
- Implement data integrity checks on Redis responses to detect potential cross-contamination
- Monitor connection pool metrics for unusual connection lifecycle patterns
- Set up alerts for dependency vulnerability scanners that flag redis-py versions below 4.4.4 or 4.5.4
How to Mitigate CVE-2023-28859
Immediate Actions Required
- Upgrade redis-py to version 4.4.4 or later for the 4.4.x branch
- Upgrade redis-py to version 4.5.4 or later for the 4.5.x branch
- Review and audit any AsyncIO-based Redis usage in your applications
- Consider implementing additional application-level validation on Redis responses until patching is complete
Patch Information
The redis-py maintainers have released patched versions that address the data leakage across AsyncIO connections. The fixes are available in:
Additional technical details about the fix can be found in the GitHub Pull Request #2641 and Pull Request #2666. The original issue report provides context on the vulnerability discovery.
Workarounds
- Avoid using async cancellation with Redis operations where possible until patches are applied
- Implement connection pool configurations that create new connections rather than reusing potentially tainted ones
- Add application-level response validation to detect and discard responses that don't match expected data patterns
- Consider temporarily using synchronous Redis operations for sensitive data if async patching is delayed
# Upgrade redis-py to patched version
pip install --upgrade redis>=4.5.4
# Verify installed version
pip show redis | grep Version
# For requirements.txt, update to:
# redis>=4.5.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
