| Package | redis |
|---|---|
| Version | 3:3.2.6-3+deb9u16 (stretch), 5:5.0.14-1+deb10u9 (buster) |
| Related CVEs | CVE-2025-32023 CVE-2025-48367 |
Two issues were discovered in Redis, the key-value database:
-
CVE-2025-32023: An authenticated user may have used a specially-crafted string to trigger a stack/heap out-of-bounds write during hyperloglog operations, potentially leading to a remote code execution vulnerability. Installations that used Redis’ ACL system to restrict hyperloglogHLLcommands are unaffected by this issue. -
CVE-2025-48367: An unauthenticated connection could have caused repeated IP protocol errors, leading to client starvation and ultimately become a Denial of Service (DoS) attack.
For Debian 10 buster, these problems have been fixed in version 5:5.0.14-1+deb10u9.
For Debian 9 stretch, these problems have been fixed in version 3:3.2.6-3+deb9u16.
We recommend that you upgrade your redis packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.