Java Hardcoded Redis Password
Description
Detects hardcoded Redis passwords when using the Jedis client in Java applications. Embedding credentials directly in source code is a security risk as it can lead to unauthorized access if the code is exposed. These credentials should instead be stored securely in configuration files or environment variables.
Detection Strategy
• Code imports Redis/Jedis related libraries
• Redis client objects are created with password parameters
• Method calls contain hardcoded string literals used as Redis passwords
• Connection credentials are passed directly in code rather than loaded from configuration
Vulnerable code example
import redis.clients.jedis.JedisClientConfig;
import redis.clients.jedis.DefaultJedisClientConfig;
public class RedisExample {
public void configureRedis() {
// Hardcoded password directly in builder configuration
JedisClientConfig config = DefaultJedisClientConfig.builder()
.password("secret123") // Insecure: Hardcoded credential in source code...✅ Secure code example
import redis.clients.jedis.JedisClientConfig;
import redis.clients.jedis.DefaultJedisClientConfig;
public class RedisExample {
public void configureRedis(String password) { // Accept password as parameter
JedisClientConfig config = DefaultJedisClientConfig.builder()
.password(password) // Safe: Password provided via configuration/environment
.build();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.