CVE-2025-67733
8.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Summary
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| valkey-io | valkey | < 7.2.12 | affected |
| valkey-io | valkey | >= 8.0.0, < 8.0.7 | affected |
| valkey-io | valkey | >= 8.1.0, < 8.1.6 | affected |
| valkey-io | valkey | >= 9.0.0, < 9.0.2 | affected |
Weaknesses
- CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts
Additional References
- https://access.redhat.com/security/cve/CVE-2025-67733
- https://bugzilla.redhat.com/show_bug.cgi?id=2442025
- https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-67733.json
- https://access.redhat.com/errata/RHSA-2026:5445
- https://access.redhat.com/errata/RHSA-2026:3443
- https://access.redhat.com/errata/RHSA-2026:3507
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.