CVE-2025-67733
Published: 23 February 2026
Summary
CVE-2025-67733 is a high-severity Injection (CWE-74) vulnerability in Lfprojects Valkey. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and timely patching of the Valkey Lua script error handling flaw.
Addresses the root cause by ensuring error handling in Lua scripts properly manages null characters without enabling response stream injection.
Validates inputs to Lua scripting commands to reject or sanitize null characters that could trigger the error handling vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in network-accessible DB server (Valkey) Lua script error handling enables remote exploitation of public-facing app and abuse of Lua scripting interpreter for response injection.
NVD Description
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to…
more
other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
Deeper analysisAI
CVE-2025-67733 is a vulnerability in Valkey, a distributed key-value database forked from Redis. It affects versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. The issue arises in the error handling code for Lua scripts, which fails to properly handle null characters. This flaw allows a malicious user to inject arbitrary information into the response stream intended for a specific client.
An attacker requires low privileges (PR:L) to exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in a scope change (S:C), enabling the injection of tampered or corrupted data that affects other users sharing the same connection. Impacts include low integrity violation (I:L) and high availability disruption (A:H), with a CVSS v3.1 base score of 8.5. The vulnerability is classified under CWE-74.
The official Valkey security advisory (GHSA-p876-p7q5-hv2m) confirms that upgrading to versions 9.0.2, 8.1.6, 8.0.7, or 7.2.12 resolves the error handling issue in Lua scripts. No additional mitigations are specified beyond applying these patched releases.
Details
- CWE(s)