Platform
redis
Component
redis
Fixed in
8.0.4
CVE-2025-46686 describes a potential memory consumption vulnerability in Redis versions 0 through 8.0.3. An authenticated user can exploit this by sending a specially crafted multi-bulk command containing numerous bulk values. While disputed by the vendor, this can lead to resource exhaustion and potential denial-of-service. The vulnerability was published on 2025-07-23 and a fix is available in version 8.0.4.
The primary impact of CVE-2025-46686 is denial-of-service (DoS). An attacker, authenticated to the Redis instance, can craft a malicious multi-bulk command. This command, composed of many bulk values, forces the Redis server to allocate memory for each bulk, even if the user lacks permissions to execute the command fully. Repeatedly sending such commands can exhaust server memory, leading to instability, performance degradation, and ultimately, a crash. The blast radius is limited to the affected Redis instance, but a successful DoS could disrupt applications relying on Redis for caching, session management, or other critical functions. While the vendor disputes the severity, the potential for resource exhaustion warrants careful attention.
CVE-2025-46686 has a LOW CVSS score. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature makes it potentially exploitable. The vendor disputes the severity, arguing that abuse of the network protocol isn't a security violation. It is not currently listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-46686 is upgrading to Redis version 8.0.4 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing rate limiting on multi-bulk commands to restrict the number of requests from a single authenticated user within a given timeframe. Network-level firewalls or proxy servers can also be configured to inspect and block suspicious multi-bulk command patterns. Monitor Redis memory usage closely for unusual spikes, which could indicate exploitation attempts. After upgrading, confirm the fix by sending a crafted multi-bulk command and verifying that memory allocation remains within acceptable limits.
Update Redis to a version later than 8.0.3. This will mitigate the memory consumption vulnerability caused by multi-bulk commands. See the release notes for additional details about the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-46686 is a LOW severity vulnerability in Redis versions 0-8.0.3 that allows authenticated users to trigger excessive memory consumption via crafted multi-bulk commands, potentially leading to denial-of-service.
If you are running Redis versions 0 through 8.0.3, you are potentially affected by this vulnerability. Upgrade to version 8.0.4 or later to mitigate the risk.
The recommended fix is to upgrade to Redis version 8.0.4 or later. As a temporary workaround, implement rate limiting on multi-bulk commands and monitor Redis memory usage.
Currently, there are no public reports of CVE-2025-46686 being actively exploited, but the vulnerability's nature makes it potentially exploitable. Monitor security advisories for updates.
Refer to the official Redis security advisories on the Redis website for the most up-to-date information and guidance regarding CVE-2025-46686.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.