logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-29923 github.com/redis/go-redis/v9

Package

Manager: go
Name: github.com/redis/go-redis/v9
Vulnerable Version: >=9.7.0-beta.1 <9.7.3 || >=9.6.0b1 <9.6.3 || >=9.5.1 <9.5.5

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00025 pctl0.05431

Details

go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment ### Impact The issue only occurs when the `CLIENT SETINFO` command times out during connection establishment. The following circumstances can cause such a timeout: 1. The client is configured to transmit its identity. This can be disabled via the `DisableIndentity` flag. 2. There are network connectivity issues 3. The client was configured with aggressive timeouts The impact differs by use case: * **Sticky connections**: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection. * **Pipelines**: All commands in the pipeline receive incorrect responses. * **Default connection pool usage without pipelining**: When used with the default [ConnPool](https://github.com/redis/go-redis/blob/8fadbef84a3f4e7573f8b38e5023fd469470a8a4/internal/pool/pool.go#L77) once a connection is returned after use with [ConnPool#Put](https://github.com/redis/go-redis/blob/8fadbef84a3f4e7573f8b38e5023fd469470a8a4/internal/pool/pool.go#L366) the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. ### Patches We prepared a fix in https://github.com/redis/go-redis/pull/3295 and plan to release patch versions soon. ### Workarounds You can prevent the vulnerability by setting the flag `DisableIndentity` (BTW: We also need to fix the spelling.) to `true` when constructing the client instance. ### Credit Akhass Wasti Ramin Ghorashi Anton Amlinger Syed Rahman Mahesh Venkateswaran Sergey Zavoloka Aditya Adarwal Abdulla Anam Abd-Alhameed Alex Vanlint Gaurav Choudhary Vedanta Jha Yll Kelani Ryan Picard

Metadata

Created: 2025-03-20T18:49:59Z
Modified: 2025-03-20T18:49:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-92cp-5422-2mw7/GHSA-92cp-5422-2mw7.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-92cp-5422-2mw7
Finding: F184
Auto approve: 1