CVE-2024-31227 Overview
CVE-2024-31227 is an Improper Input Validation vulnerability affecting Redis, the popular open source, in-memory database that persists on disk. An authenticated user with sufficient privileges may create a malformed ACL (Access Control List) selector which, when accessed, triggers a server panic and subsequent denial of service condition. This vulnerability affects Redis 7 prior to versions 7.2.6 and 7.4.1.
Critical Impact
Authenticated attackers with ACL management privileges can crash Redis servers, causing service outages and potential data availability issues for applications relying on Redis as a critical data store.
Affected Products
- Redis versions 7.0.0 through 7.2.5
- Redis version 7.4.0
- All Redis 7.x deployments with ACL functionality enabled
Discovery Timeline
- 2024-10-07 - CVE-2024-31227 published to NVD
- 2025-08-26 - Last updated in NVD database
Technical Details for CVE-2024-31227
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the ACL selector parsing functionality within Redis. The flaw allows an authenticated user with sufficient privileges to craft a malformed ACL selector that bypasses validation checks. When the malformed selector is subsequently accessed during ACL operations, it causes the Redis server to enter a panic state, immediately terminating the service.
The attack requires local access and high privileges, but the impact on availability is significant. Organizations using Redis for session management, caching, or as a primary data store face potential service disruptions if this vulnerability is exploited.
Root Cause
The root cause lies in the ACL SETUSER command's Read/Write key pattern selector parsing logic in src/acl.c. The vulnerability occurs when the code processes ACL selectors without properly validating that the required flags are set before processing the tilde (~) character that introduces key patterns. This allows malformed selectors to pass initial validation but cause a panic when the selector is later accessed or evaluated.
Attack Vector
The attack requires an authenticated attacker with ACL management privileges (typically administrative users) to execute the ACL SETUSER command with a specially crafted selector pattern. The malformed selector must contain a tilde character (~) in a position where no read or write permission flags have been set, which creates an invalid internal state. When this malformed ACL rule is later processed during authentication or authorization checks, the server panics.
// Patch from src/acl.c - Fix ACL SETUSER Read/Write key pattern selector
flags |= ACL_READ_PERMISSION;
} else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
flags |= ACL_WRITE_PERMISSION;
- } else if (op[offset] == '~') {
+ } else if (op[offset] == '~' && flags) {
offset++;
break;
} else {
Source: GitHub Redis Commit
The patch adds a validation check ensuring that flags is non-zero (indicating read or write permissions have been set) before allowing the tilde character to be processed, preventing the creation of malformed ACL selectors.
Detection Methods for CVE-2024-31227
Indicators of Compromise
- Unexpected Redis server crashes or restarts without apparent cause
- Redis log entries showing server panic states related to ACL operations
- Anomalous ACL SETUSER commands with unusual selector patterns in Redis command logs
- Service availability issues correlating with ACL configuration changes
Detection Strategies
- Monitor Redis logs for panic messages and unexpected terminations
- Audit ACL SETUSER commands for malformed key pattern selectors, particularly those with tilde characters in unusual positions
- Implement alerting on Redis process crashes or automatic restarts
- Review authentication and authorization activity logs for suspicious privilege escalation attempts
Monitoring Recommendations
- Configure Redis to log all ACL-related commands for forensic analysis
- Deploy application-level monitoring to detect Redis connection failures indicative of server crashes
- Establish baseline metrics for Redis uptime and alert on deviations
- Monitor for repeated connection retry patterns from applications that may indicate Redis instability
How to Mitigate CVE-2024-31227
Immediate Actions Required
- Upgrade Redis to version 7.2.6 or later for the 7.2.x branch
- Upgrade Redis to version 7.4.1 or later for the 7.4.x branch
- Audit current users with ACL management privileges and restrict access to trusted administrators only
- Review recent ACL configuration changes for potentially malformed selectors
Patch Information
Redis has released security patches addressing this vulnerability. The fix is available in Redis versions 7.2.6 and 7.4.1. Users are strongly advised to upgrade to these versions or later. The patch modifies the ACL selector parsing logic in src/acl.c to validate that permission flags are properly set before processing key pattern specifications.
Workarounds
- There are no known workarounds for this vulnerability according to the vendor advisory
- Restrict ACL management privileges to only essential administrative users
- Implement network segmentation to limit access to Redis instances
- Consider deploying Redis behind authentication proxies with additional access controls
# Check current Redis version
redis-server --version
# Upgrade Redis on Debian/Ubuntu systems
sudo apt update && sudo apt install redis-server
# Verify upgraded version is 7.2.6+ or 7.4.1+
redis-cli INFO server | grep redis_version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
