Cyber Resilience

CVE-2025-67733

HighUpdated

Published: 23 February 2026

Published
23 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
EPSS Score 0.0042 33.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-67733 is a high-severity Injection (CWE-74) vulnerability in Lfprojects Valkey. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67733 is a vulnerability in Valkey, a distributed key-value database forked from Redis. It affects versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. The issue arises in the error handling code for Lua scripts, which fails to properly handle null characters. This flaw allows a malicious user to inject arbitrary information into the response stream intended for a specific client.

An attacker requires low privileges (PR:L) to exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in a scope change (S:C), enabling the injection of tampered or corrupted data that affects other users sharing the same connection. Impacts include low integrity violation (I:L) and high availability disruption (A:H), with a CVSS v3.1 base score of 8.5. The vulnerability is classified under CWE-74.

The official Valkey security advisory (GHSA-p876-p7q5-hv2m) confirms that upgrading to versions 9.0.2, 8.1.6, 8.0.7, or 7.2.12 resolves the error handling issue in Lua scripts. No additional mitigations are specified beyond applying these patched releases.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to…

more

other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
Why these techniques?

Vuln in network-accessible DB server (Valkey) Lua script error handling enables remote exploitation of public-facing app and abuse of Lua scripting interpreter for response injection.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21863Same product: Lfprojects Valkey
CVE-2026-27623Same product: Lfprojects Valkey
CVE-2026-21864Same vendor: Lfprojects
CVE-2025-49844Same product: Lfprojects Valkey
CVE-2026-29064Same vendor: Lfprojects
CVE-2026-40090Same vendor: Lfprojects
CVE-2026-25814Shared CWE-74
CVE-2026-27727Shared CWE-74
CVE-2026-7770Shared CWE-74
CVE-2026-25536Same vendor: Lfprojects

Affected Assets

lfprojects
valkey
≤ 7.2.12 · 8.0.0 — 8.0.7 · 8.1.0 — 8.1.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the Valkey Lua script error handling flaw.

prevent

Addresses the root cause by ensuring error handling in Lua scripts properly manages null characters without enabling response stream injection.

prevent

Validates inputs to Lua scripting commands to reject or sanitize null characters that could trigger the error handling vulnerability.

References