CVE-2025-62507 Overview
CVE-2025-62507 is a stack buffer overflow vulnerability in Redis, the popular open-source in-memory database. The vulnerability exists in the XACKDEL command handling, where an authenticated user can trigger a stack buffer overflow by supplying multiple stream IDs that exceed the statically allocated buffer size. This memory corruption flaw may potentially lead to remote code execution, allowing attackers to compromise Redis server instances.
Critical Impact
Authenticated attackers can exploit this stack buffer overflow in the XACKDEL command to potentially achieve remote code execution on affected Redis servers, compromising data integrity and server availability.
Affected Products
- Redis versions 8.2.0 and above (prior to 8.2.3)
- Redis Redis (all deployments running vulnerable versions)
- Systems using Redis Stream functionality with XACKDEL operations
Discovery Timeline
- 2025-11-04 - CVE-2025-62507 published to NVD
- 2025-12-08 - Last updated in NVD database
Technical Details for CVE-2025-62507
Vulnerability Analysis
The vulnerability resides in the stream command processing within Redis's src/t_stream.c file. When handling the XACKDEL command, Redis uses a statically allocated array static_ids[STREAMID_STATIC_VECTOR_LEN] on the stack to store stream IDs. The vulnerability occurs because the code fails to check whether the number of supplied IDs exceeds this static buffer size before writing to it.
When an authenticated user executes an XACKDEL command with more IDs than the STREAMID_STATIC_VECTOR_LEN constant allows, the additional stream IDs overflow the stack buffer. This out-of-bounds write can corrupt adjacent stack memory, including return addresses and other critical stack frame data, potentially enabling an attacker to redirect execution flow.
The vulnerability is classified under CWE-787 (Out-of-bounds Write) and CWE-20 (Improper Input Validation), reflecting both the memory corruption issue and the failure to properly validate input bounds before buffer operations.
Root Cause
The root cause is improper input validation in the XACKDEL command handler. The code initializes a fixed-size stack buffer (static_ids) but does not verify that the number of incoming stream IDs (args.numids) fits within this buffer before iterating and writing each ID. This missing bounds check allows attackers to supply more IDs than the buffer can accommodate, resulting in a classic stack buffer overflow condition.
Attack Vector
The attack is network-accessible and requires low-privilege authenticated access to the Redis instance. An attacker with valid Redis credentials can craft a malicious XACKDEL command containing a number of stream IDs exceeding STREAMID_STATIC_VECTOR_LEN. When the Redis server processes this command, the stack buffer overflows, potentially allowing the attacker to:
- Crash the Redis server (denial of service)
- Corrupt memory to influence program behavior
- Achieve remote code execution by overwriting return addresses or function pointers
// Security patch in src/t_stream.c - Fix XACKDEL stack overflow
// Source: https://github.com/redis/redis/commit/5f83972188f6e5b1d6f1940218c650a9cbdf7741
* executed in a "all or nothing" fashion. */
streamID static_ids[STREAMID_STATIC_VECTOR_LEN];
streamID *ids = static_ids;
+ if (args.numids > STREAMID_STATIC_VECTOR_LEN)
+ ids = zmalloc(sizeof(streamID)*args.numids);
for (int j = 0; j < args.numids; j++) {
if (streamParseStrictIDOrReply(c,c->argv[j+args.startidx],&ids[j],0,NULL) != C_OK)
goto cleanup;
The patch adds a bounds check that dynamically allocates memory using zmalloc() when the number of IDs exceeds the static buffer size, preventing the stack overflow.
Detection Methods for CVE-2025-62507
Indicators of Compromise
- Unusual XACKDEL commands with abnormally high numbers of stream IDs in Redis logs
- Redis server crashes or unexpected restarts following stream operations
- Memory corruption errors or segmentation faults in Redis process logs
- Suspicious network connections following Redis command execution
Detection Strategies
- Monitor Redis command logs for XACKDEL operations with excessive ID counts
- Implement network intrusion detection rules to flag malformed or unusually large Redis commands
- Deploy endpoint detection to identify Redis process crashes or abnormal memory access patterns
- Enable Redis slow log and command auditing to capture potentially malicious stream operations
Monitoring Recommendations
- Configure Redis to log all XACKDEL commands via the ACL LOG feature
- Set up alerting for Redis process crashes or unexpected terminations
- Monitor Redis memory usage patterns for anomalies during stream operations
- Implement network-level monitoring for Redis protocol traffic anomalies
How to Mitigate CVE-2025-62507
Immediate Actions Required
- Upgrade Redis to version 8.2.3 or later immediately
- If immediate patching is not possible, implement ACL restrictions to block XACKDEL command execution
- Review Redis ACL configurations to ensure only necessary users have stream command access
- Audit Redis authentication settings to minimize attack surface
Patch Information
Redis has released version 8.2.3 to address this vulnerability. The fix implements proper bounds checking before using the static buffer, dynamically allocating heap memory when the number of stream IDs exceeds STREAMID_STATIC_VECTOR_LEN. Organizations should upgrade to this version as soon as possible.
For detailed patch information, see the GitHub Redis Commit Details and the GitHub Security Advisory GHSA-jhjx-x4cf-4vm8.
Workarounds
- Use Redis ACL to restrict XACKDEL command execution: configure ACL SETUSER to deny the XACKDEL command for all non-administrative users
- Implement network segmentation to limit Redis server exposure to trusted networks only
- Enable Redis authentication and use strong credentials to reduce unauthorized access risk
- Consider using Redis Sentinel or Cluster configurations with restricted command sets
# Configuration example - Restrict XACKDEL via Redis ACL
# Connect to Redis and configure ACL to deny XACKDEL for a specific user
redis-cli ACL SETUSER appuser -XACKDEL
# Alternatively, create a restricted user without stream delete permissions
redis-cli ACL SETUSER restricted_user on >strongpassword ~* +@all -XACKDEL
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
