CVE-2024-31228

MEDIUM EPSS 58.7%

Published Oct 7, 20241y ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Oct 7, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Details

Base Score

6.5

Exploitability

2.8

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

58.7% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-674

Affected Products 5

Vendor	Product	Version	Range
redis	redis	*	≥2.2.5 – <6.2.16
redis	redis	*	≥7.2.0 – <7.2.6
redis	redis	7.4.0	any
redis	redis	7.4.0	any
redis	redis	7.4.0	any

References 3

github.com https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0

Patch
github.com https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976

Vendor Advisory
lists.debian.org https://lists.debian.org/debian-lts-announce/2024/11/msg00031.html

Remediation

github.com https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0

Patch