CVE-2021-29469
Denial of Service vulnerability in redis
What is CVE-2021-29469 About?
This vulnerability in NodeRedis affects clients in monitoring mode, leading to a denial of service. Malicious input can cause exponential backtracking in the regex used for monitor messages, consuming excessive resources. Exploitation is moderate, requiring specific conditions in the client's operation.
Affected Software
Technical Details
The vulnerability resides in the NodeRedis client library when it operates in monitoring mode. The regular expression (regex) used to detect monitor messages is susceptible to exponential backtracking when confronted with specially crafted malicious input strings. An attacker, by injecting specific patterns into the monitor messages, can force the regex engine to undergo an extremely high number of backtracking steps. This computational overhead consumes significant CPU resources, leading to a denial of service, where the client becomes unresponsive or significantly degrades performance for legitimate operations.
What is the Impact of CVE-2021-29469?
Successful exploitation may allow attackers to cause the NodeRedis client to become unresponsive, leading to denial of service for applications relying on it, disrupting data access, and impairing system functionality.
What is the Exploitability of CVE-2021-29469?
Exploitation requires the NodeRedis client to be actively in monitoring mode. An attacker would need to inject specific malicious strings into the monitor messages that the client processes. The complexity is moderate, as crafting an input that triggers exponential backtracking requires knowledge of regex vulnerabilities and the specific regex in use. While direct authentication to the Redis server might be needed to send such messages, the client itself does not require elevated privileges. This could be a remote attack if the Redis server accepts unauthenticated monitor commands, or a local network attack if the attacker can influence the messages seen by the monitor. The prerequisite is the client's operation in monitoring mode and the ability to control or influence the monitor messages it receives.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-29469?
Available Upgrade Options
- redis
- >2.6.0, <3.1.1 → Upgrade to 3.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20210611-0010
- https://nvd.nist.gov/vuln/detail/CVE-2021-29469
- https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e
- https://github.com/NodeRedis/node-redis/releases/tag/v3.1.1
- https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e
- https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3
- https://osv.dev/vulnerability/GHSA-35q2-47q7-3pc3
- https://github.com/NodeRedis/node-redis/releases/tag/v3.1.1
- https://security.netapp.com/advisory/ntap-20210611-0010/
- https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3
What are Similar Vulnerabilities to CVE-2021-29469?
Similar Vulnerabilities: CVE-2021-32723 , CVE-2021-32640 , CVE-2021-29482 , CVE-2021-32014 , CVE-2021-32012
