CVE-2021-32675— DoS vulnerability in Redis
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-32675
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
DoS vulnerability in Redis
Source: NVD (National Vulnerability Database)
Vulnerability Description
Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
Redis Labs Redis 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Redis Labs Redis是美国Redis Labs公司的一套开源的使用ANSI C编写、支持网络、可基于内存亦可持久化的日志型、键值(Key-Value)存储数据库,并提供多种语言的API。 Redis 存在安全漏洞,当解析一个传入的Redis Standard Protocol (RESP)请求时,Redis根据用户指定的值来分配内存,这些值决定了多个bulk报头中的元素数量和每个元素的大小(bulk报头)。攻击者可利用该漏洞通过多个连接传递特别设计的请求可能会导致服务器分配大量内存。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-32675
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 6940 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2021-32675
请登录查看更多情报信息。
Patches & Fixes for CVE-2021-32675 (1)
Vendor Advisories for CVE-2021-32675 (5)
- https://github.com/redis/redis/security/advisories/GHSA-f6pw-v9gw-v64px_refsource_CONFIRM
- https://security.netapp.com/advisory/ntap-20211104-0003/x_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpuapr2022.htmlx_refsource_MISC
Mailing List Discussions for CVE-2021-32675 (4)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/vendor-advisoryx_refsource_FEDORA
Same Patch Batch · redis · 2021-10-04 · 9 CVEs total
| CVE-2021-32765 | 8.8 HIGH | Integer Overflow to Buffer Overflow in Hiredis |
| CVE-2021-32626 | 7.5 HIGH | Lua scripts can overflow the heap-based Lua stack in Redis |
| CVE-2021-32627 | 7.5 HIGH | Integer overflow issue with Streams in Redis |
| CVE-2021-32628 | 7.5 HIGH | Vulnerability in handling large ziplists |
| CVE-2021-32687 | 7.5 HIGH | Integer overflow issue with intsets in Redis |
| CVE-2021-32762 | 7.5 HIGH | Integer overflow that can lead to heap overflow in redis-cli, redis-sentinel on some platf |
| CVE-2021-41099 | 7.5 HIGH | Integer overflow issue with strings in Redis |
| CVE-2021-32672 | 5.3 MEDIUM | Vulnerability in Lua Debugger in Redis |
IV. Related Vulnerabilities
Same product: redis
- CVE-2026-25243
redis-server RESTORE invalid memory access may allow remote - CVE-2026-23631
redis-server Lua use-after-free may allow remote code execut - CVE-2026-23479
redis-server use-after-free in unblock client flow may allow - CVE-2025-62507
Redis: Bug in XACKDEL may lead to stack overflow and potenti - CVE-2025-49844
Redis Lua Use-After-Free may lead to remote code execution
Same vendor: redis
- CVE-2026-25243
redis-server RESTORE invalid memory access may allow remote - CVE-2026-23631
redis-server Lua use-after-free may allow remote code execut - CVE-2026-23479
redis-server use-after-free in unblock client flow may allow - CVE-2025-62507
Redis: Bug in XACKDEL may lead to stack overflow and potenti - CVE-2025-49844
Redis Lua Use-After-Free may lead to remote code execution
Same weakness: CWE-770
- CVE-2026-44070
Unbounded realloc in charset conversion - CVE-2026-8488
Allocation of resources without limits or throttling vulnera - CVE-2026-8486
Allocation of resources without limits or throttling vulnera - CVE-2026-8469
Unauthenticated denial-of-service via BEAM atom table exhaus - CVE-2026-9064
389-ds-base: 389-ds-base: unbounded ldap controls count in g
V. Comments for CVE-2021-32675
No comments yet