Cyber Resilience

CVE-2025-21605

HighDDoS

Published: 23 April 2025

Published
23 April 2025
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0050 66.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21605 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Redis Redis. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 33.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-21605 affects Redis, an open-source in-memory database, in all versions from 2.6 through 7.4.2. The flaw is an uncontrolled output-buffer growth condition (CWE-770) that occurs because the default configuration imposes no client-output-buffer-limit on normal clients. An unauthenticated remote attacker can therefore drive unbounded memory consumption on the server simply by sending repeated commands that elicit responses, eventually exhausting available RAM and terminating the Redis process.

Because Redis permits connections before authentication, the same buffer-growth vector remains available even when password authentication is enabled; the server continues to reply with “NOAUTH” messages that accumulate in the client output buffer. Exploitation requires only network reachability and no credentials, resulting in a denial-of-service condition that affects availability but not confidentiality or integrity (CVSS 7.5).

The official patch is included in Redis 7.4.3. Advisories recommend either upgrading or applying network-level controls such as firewalls, iptables, or security groups to block unauthenticated clients; an alternative is to enforce TLS with client-certificate authentication so that only authorized parties can establish a connection.

EPSS for the vulnerability rose from a baseline near 0.005 to a peak of 0.0209 on 23 May 2026 before receding, indicating a measurable increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed.…

more

By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated remote attackers can exploit unlimited output buffer growth in Redis to exhaust application memory (T1499.003) or leverage the vulnerability for endpoint DoS via application exploitation (T1499.004).

Affected Assets

redis
redis
2.6.0 — 6.2.18 · 7.0 — 7.2.8 · 7.4.0 — 7.4.3
lfprojects
valkey
7.2.4 — 7.2.9 · 8.0.0 — 8.0.3 · 8.1.0 — 8.1.1
debian
debian linux
11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-770

This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.

addresses: CWE-770

Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.

addresses: CWE-770

Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.

addresses: CWE-770

Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.

addresses: CWE-770

Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

addresses: CWE-770

Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.

addresses: CWE-770

Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.

addresses: CWE-770

Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.

References