CVE-2025-21605
Published: 23 April 2025
Summary
CVE-2025-21605 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Redis Redis. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 33.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-21605 affects Redis, an open-source in-memory database, in all versions from 2.6 through 7.4.2. The flaw is an uncontrolled output-buffer growth condition (CWE-770) that occurs because the default configuration imposes no client-output-buffer-limit on normal clients. An unauthenticated remote attacker can therefore drive unbounded memory consumption on the server simply by sending repeated commands that elicit responses, eventually exhausting available RAM and terminating the Redis process.
Because Redis permits connections before authentication, the same buffer-growth vector remains available even when password authentication is enabled; the server continues to reply with “NOAUTH” messages that accumulate in the client output buffer. Exploitation requires only network reachability and no credentials, resulting in a denial-of-service condition that affects availability but not confidentiality or integrity (CVSS 7.5).
The official patch is included in Redis 7.4.3. Advisories recommend either upgrading or applying network-level controls such as firewalls, iptables, or security groups to block unauthenticated clients; an alternative is to enforce TLS with client-certificate authentication so that only authorized parties can establish a connection.
EPSS for the vulnerability rose from a baseline near 0.005 to a peak of 0.0209 on 23 May 2026 before receding, indicating a measurable increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12407
Vulnerability details
Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed.…
more
By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote attackers can exploit unlimited output buffer growth in Redis to exhaust application memory (T1499.003) or leverage the vulnerability for endpoint DoS via application exploitation (T1499.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.