CVE-2025-29923
Out of order responses vulnerability in go-redis (Go)
What is CVE-2025-29923 About?
This vulnerability in `github.com/redis/go-redis` might cause out-of-order responses. It occurs when a `CLIENT SETINFO` command times out during connection establishment. The impact could include data inconsistencies or unexpected application behavior due to misprocessed responses.
Affected Software
- github.com/redis/go-redis/v9
- >9.7.0-beta.1, <9.7.3
- <9.6.3
- >9.5.1, <9.5.5
Technical Details
The vulnerability in github.com/redis/go-redis client library manifests as a potential for out-of-order responses. This specific condition is triggered when the CLIENT SETINFO command, executed during the initial connection establishment phase, times out. The underlying mechanism suggests a race condition or an unhandled state transition during the timeout, where subsequent responses are received before the client fully recovers or synchronizes its state due to the timed-out CLIENT SETINFO operation. This leads to application-level confusion where responses are processed in an unintended sequence, potentially causing data corruption, incorrect data processing, or logical errors within the application relying on the Redis client.
What is the Impact of CVE-2025-29923?
Successful exploitation may lead to data inconsistencies, unexpected application behavior, or application crashes due to the misinterpretation of responses from the Redis server.
What is the Exploitability of CVE-2025-29923?
Exploitation of this vulnerability requires specific timing conditions related to network latency or server load that cause the CLIENT SETINFO command to time out during connection establishment. It typically involves interacting with a go-redis client application that attempts to connect to a Redis server under such conditions. This is likely a remote vulnerability as it involves network interaction, but it requires the attacker to influence network conditions or Redis server behavior (e.g., by overloading it) in a very specific way. No direct authentication to the Redis server might be needed to trigger the timeout if the connection attempt itself is problematic, but interacting with the client application would be the primary attack vector. The complexity is high as it depends on race conditions and specific network/server states, making it difficult to reliably reproduce and exploit.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-29923?
Available Upgrade Options
- github.com/redis/go-redis/v9
- >9.5.1, <9.5.5 → Upgrade to 9.5.5
- github.com/redis/go-redis/v9
- <9.6.3 → Upgrade to 9.6.3
- github.com/redis/go-redis/v9
- >9.7.0-beta.1, <9.7.3 → Upgrade to 9.7.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7
- https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6
- https://osv.dev/vulnerability/GO-2025-3540
- https://github.com/redis/go-redis/pull/3295
- https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7
- https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6
- https://github.com/redis/go-redis/pull/3295
What are Similar Vulnerabilities to CVE-2025-29923?
Similar Vulnerabilities: CVE-2023-50269 , CVE-2023-28849 , CVE-2023-45819 , CVE-2023-26360 , CVE-2023-48795
