CVE-2025-29923 Overview
CVE-2025-29923 is an Input Validation Error vulnerability affecting go-redis, the official Redis client library for the Go programming language. The vulnerability causes the client to potentially respond out of order when CLIENT SETINFO times out during connection establishment. This can occur when the client is configured to transmit its identity, during network connectivity issues, or when aggressive timeouts are configured.
Critical Impact
Out-of-order responses can lead to data integrity issues, incorrect command responses in pipelines, and potential security implications when commands receive wrong data.
Affected Products
- go-redis versions prior to 9.5.5
- go-redis versions prior to 9.6.3
- go-redis versions prior to 9.7.3
Discovery Timeline
- 2025-03-20 - CVE CVE-2025-29923 published to NVD
- 2025-03-20 - Last updated in NVD database
Technical Details for CVE-2025-29923
Vulnerability Analysis
This vulnerability stems from improper handling of CLIENT SETINFO command timeouts during the connection establishment phase. When the Redis client attempts to transmit its identity information and a timeout occurs, the connection can enter an inconsistent state where responses no longer align with their corresponding requests.
The impact varies based on the connection usage pattern. For sticky connections, out-of-order responses persist for the entire connection lifetime, meaning all subsequent commands may receive incorrect responses. In pipeline scenarios, all commands in the pipeline receive incorrect responses. When using the default ConnPool, the read buffer is checked upon connection return via ConnPool#Put, and the connection is marked as bad due to unread data—limiting exposure to at most one out-of-order response before the connection is discarded.
Root Cause
The root cause is classified as CWE-20 (Improper Input Validation). The go-redis client fails to properly handle network timeout errors that occur during the CLIENT SETINFO command execution. When this command times out, pending response data remains in the connection's read buffer, causing subsequent read operations to retrieve stale data intended for the timed-out command rather than the current request.
Attack Vector
The attack vector is network-based and requires specific conditions to exploit. An attacker with the ability to introduce network latency or connectivity issues between the Redis client and server could potentially trigger the timeout condition. The vulnerability can also manifest through:
- Network infrastructure issues causing intermittent connectivity
- Aggressive timeout configurations in high-latency environments
- Resource exhaustion scenarios affecting network performance
The following patch introduces a new DisableIdentity option to properly handle the SETINFO command behavior:
// Enables read only queries on slave/follower nodes.
readOnly bool
- // Disable set-lib on connect. Default is false.
+ // DisableIndentity - Disable set-lib on connect.
+ //
+ // default: false
+ //
+ // Deprecated: Use DisableIdentity instead.
DisableIndentity bool
+ // DisableIdentity is used to disable CLIENT SETINFO command on connect.
+ //
+ // default: false
+ DisableIdentity bool
+
// Add suffix to client name. Default is empty.
IdentitySuffix string
Source: GitHub Commit Update
Detection Methods for CVE-2025-29923
Indicators of Compromise
- Unexpected or mismatched responses from Redis commands in application logs
- Connections being frequently marked as "bad" and discarded by the connection pool
- Intermittent data integrity errors when reading from Redis
- Timeout errors specifically related to CLIENT SETINFO during connection establishment
Detection Strategies
- Monitor application logs for Redis response errors or unexpected data formats
- Implement response validation to detect when returned data doesn't match expected command responses
- Track connection pool health metrics for anomalous connection discard rates
- Review go-redis client version across all deployed applications to identify vulnerable instances
Monitoring Recommendations
- Enable verbose logging for Redis client connections to capture SETINFO timeout events
- Monitor network latency between applications and Redis servers for abnormal patterns
- Set up alerts for elevated connection error rates in Redis client metrics
- Audit pipeline operations for response integrity verification
How to Mitigate CVE-2025-29923
Immediate Actions Required
- Upgrade go-redis to version 9.5.5, 9.6.3, or 9.7.3 depending on your current version branch
- Set the DisableIdentity flag to true when constructing client instances as an immediate workaround
- Review and adjust timeout configurations to reduce the likelihood of SETINFO timeouts
- Avoid using sticky connections in environments with unreliable network connectivity
Patch Information
The vulnerability has been fixed in go-redis versions 9.5.5, 9.6.3, and 9.7.3. The fix introduces a new DisableIdentity configuration option that properly handles the CLIENT SETINFO command behavior and deprecates the misspelled DisableIndentity field. Technical details of the fix are available in the GitHub Pull Request Discussion and the GitHub Security Advisory GHSA-92cp-5422-2mw7.
Workarounds
- Set DisableIndentity: true (legacy) or DisableIdentity: true (new) in client options to prevent the vulnerability
- Increase connection timeouts to reduce the likelihood of SETINFO command timeouts
- Avoid using sticky connections in favor of the default connection pool which limits exposure
- Implement application-level response validation for critical Redis operations
// Workaround configuration example
import "github.com/redis/go-redis/v9"
client := redis.NewClient(&redis.Options{
Addr: "localhost:6379",
DisableIdentity: true, // Prevents CLIENT SETINFO from being sent
})
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
