Redis Enterprise Software release notes 8.0.2-17 (October 2025)

Redis Software 8! The most performant, most secure, and richest version so far. Built for performance, scale, and reliability to power modern ML and AI applications.

​​Redis Enterprise Software version 8.0.2 is now available!

Highlights

This version offers:

• Redis 8.0 and 8.2 feature set versions

• Performance improvements and memory reduction

• New vector set data structure

• Redis Flex revamped engine

• Redis Query Engine upgrades

• Lag-aware availability API

• Metrics stream engine (General Availability)

• Simplified module management

• New REST API fields for database and cluster configuration

• Customer-managed certificates for internode encryption

New in this release

New features

Redis 8.0 and 8.2 feature sets

Redis 8.0 and 8.2 feature sets are now available when you create or upgrade a database with database version 8.2.

Redis 8.0 feature set and enhancements

• Preview of a new vector set data structure that supports high-dimensional vector similarity search, ideal for AI use cases such as semantic search and recommendation systems.

• New hash commands HGETEX, HSETEX, and HGETDEL, which can simplify caching and session management patterns.

• Enhanced access control lists (ACLs) to support new data structures introduced in Redis 8.

  • Existing ACL categories such as @read and @write now include commands for JSON, time series, vector, and probabilistic data structures.

  • New ACL categories: @search, @json, @timeseries, @bloom, @cuckoo, @topk, @cms, and @tdigest.

• Redis Query Engine improvements.

• Significant performance improvements, including:

  • Up to 87% lower command latency.

  • 35% memory savings for replica nodes.

  • 16x more query processing capacity with horizontal and vertical scaling.

• See What's new in Redis 8.0 and Redis Open Source 8.0 release notes for more details.

Redis 8.2 feature set and enhancements

• New Redis streams commands XDELEX and XACKDEL that simplify consumer group management and stream lifecycle operations.

• New operators DIFF, DIFF1, ANDOR, and ONE for the BITOP command, which enable more complex bitmap workflows and can simplify operations that previously required multiple commands.

• New keyspace notification event types OVERWRITTEN and TYPE_CHANGED that provide better visibility into data changes.

• Performance optimizations and memory efficiency improvements.

• Redis Query Engine improvements:

  • New SVS-VAMANA vector index type, which supports vector compression.

  • New SHARD_K_RATIO parameter for K-nearest neighbor (KNN) vector queries, which favors network latency over accuracy to provide faster responses when exact precision isn't critical.

• See What's new in Redis 8.2 and Redis Open Source 8.2 release notes for more details.

Built-in capabilities with Redis 8

Redis Enterprise Software databases created with or upgraded to Redis version 8 include all the Redis capabilities, built in the database version as follows:

Performance improvements and memory reduction

• More than 30 performance, resource utilization, and memory footprint improvements.

• An improved replication mechanism that is more performant (faster) and robust and saves up to 35% memory during replication.

• Up to 87% lower command latency.

• Redis Query Engine (RQE): Up to 144% higher QPS and new vector compression.

Redis Flex revamped engine

Redis Flex is getting a revamped engine with performance improvements, increased stability, and the removal of previous limitations around RAM utilization.

Redis Flex now offloads the least used keys with their values, allowing more hot data to be stored in RAM. This increases performance for most real-world use cases.

Past limitations requiring minimum RAM allocation to store all the database's keys are no longer relevant, allowing more flexibility and higher resource utilization.

• Databases with Redis version 8.2 and later (newly created or upgraded to those versions) automatically use the new Redis Flex engine.

• Databases with Redis version 7.4 and earlier will continue to run on the previous engine.

For more information about Redis Flex, see:

• Redis Flex overview
• Redis Flex quick start

Lag-aware availability API

The database availability API now supports lag-aware availability checks that consider replication lag tolerance.

You can reduce the risk of data inconsistencies during disaster recovery by incorporating lag-aware availability checks into your disaster recovery solution and ensuring failover-failback flows only occur when databases are accessible and sufficiently synchronized.

The lag tolerance threshold is 100 milliseconds by default. Depending on factors such as workload, network conditions, and throughput, you might want to adjust the lag tolerance threshold using one of the following methods:

• Change the default threshold for the entire cluster by setting availability_lag_tolerance_ms with an update cluster request.

• Override the default threshold by adding the availability_lag_tolerance_ms query parameter to specific lag-aware availability checks. For example:

  GET /v1/bdbs/<database_id>/availability?extend_check=lag&availability_lag_tolerance_ms=100
  

For more details, see Check database availability for monitoring and load balancers.

Metrics stream engine GA

The metrics stream engine is now generally available:

• The metrics stream engine's exporter-based infrastructure provides access to more accurate, real-time data. This enhanced, scalable monitoring system allows you to set up more effective alerts and respond to issues faster.

• Exposes a new /v2 Prometheus scraping endpoint that you can use to export metrics to external monitoring tools such as Grafana, DataDog, NewRelic, and Dynatrace.

• Exports raw data instead of aggregated data to improve monitoring at scale and accuracy compared to v1 Prometheus metrics.

• For a list of metrics exported by the metrics stream engine, see Prometheus metrics v2.

• To transition to the metrics stream engine, either migrate your existing dashboards using Prometheus v1 metrics and equivalent v2 PromQL or use new preconfigured dashboards.

• As part of the transition to the metrics stream engine, some internal cluster manager alerts were deprecated in favor of external monitoring solutions. See the alerts transition plan for guidance.

• See Best practices for monitoring for a list of recommended metrics to monitor.

Customer-managed certificates for internode encryption

Instead of using Redis Enterprise Software's self-signed certificates for internode encryption, you can provide certificates generated by your Certificate Authority (CA). See Customer-provided certificates for details.

Enhancements

• Module management enhancements:

  • Operating system (OS) upgrades no longer require manually uploading module packages compiled for the target OS version to a node in the existing cluster.

  • Copying module packages to a node in the cluster before cluster recovery is no longer required.

  • Added new REST API requests to manage custom, user-defined modules. See Custom module management APIs for details.

  • Added module configuration fields to the database configuration. Use search, query_performance_factor, timeseries, and probabilistic objects to configure Redis modules instead of the deprecated module_args field. These fields are visible in GET /v1/bdbs requests only when using the extended=true query parameter.

  • Added --update-db-config-modules option to the crdb-cli crdb update command to streamline updating module information in the CRDB configuration after upgrading modules used by Active-Active databases. Use this option only after all CRDB database instances have upgraded their modules.

    crdb-cli crdb update --crdb-guid <guid> --update-db-config-modules true
    

• Added a check to block new user creation after the maximum limit of 32,000 users has been reached:

  • Added a cluster alert cluster_users_count_approaches_limit, which triggers when the number of users surpasses a threshold percentage of the maximum user limit. This alert is enabled with a 90% threshold by default on new clusters.

  • Added a users_count cluster metric to Prometheus metrics v2 that shows the current number of users on the cluster.

• New database configuration fields in the REST API for automatic shard balancing:

  • auto_shards_balancing: Automatically balances database shards.

  • auto_shards_balancing_grace_period: Time to wait before auto sharding is initiated.

  • shard_imbalance_threshold: Threshold for automatic shard balancing based on imbalance size.

  • shard_imbalance_threshold_percentage: Threshold for automatic shard balancing based on imbalance percentage.

• Additional REST API enhancements:

  • New last_login field for users, which stores the UNIX timestamp of the user's last successful login to the Cluster Manager UI or REST API.

  • Added cluster configuration fields:

    • disconnect_clients_on_password_removal: Controls whether client connections using removed, revoked, or rotated passwords are actively disconnected.

    • replica_sconns_on_demand: When enabled, the DMC stops holding persistent connections to replica shards and reduces the number of internode connections by half.

    • metrics_auth: If set to true, enables basic authentication for Prometheus exporters and restricts access to authenticated users with admin, cluster_member, or cluster_viewer management roles.

  • Added database configuration fields:

    • conns_global_maximum_dedicated: Defines the maximum number of dedicated server connections for a database across all workers.

    • conns_minimum_dedicated: Defines the minimum number of dedicated server connections the DMC maintains per worker per shard.

    • disconnect_clients_on_password_removal: Controls whether client connections using removed, revoked, or rotated passwords are actively disconnected.

    • link_sconn_on_full_request: Feature flag for DMC behavior on linking client requests.

    • partial_request_timeout_seconds: Timeout for incomplete client commands that cause head-of-line blocking.

    • preemptive_drain_timeout_seconds: Timeout for preemptive drain of client connections before a shard is taken down.

    • replica_sconns_on_demand: When enabled, the DMC stops holding persistent connections to replica shards and reduces the number of internode connections by half.

    • use_selective_flush: Enables selective flush of destination shards.

• Added action IDs to operation and state machine log entries.

• Internal connections no longer generate new_int_conn audit records.

• Improved control plane authentication handling for new clusters with a dedicated authentication service.

• Improved handling of long-running read-only scripts to reduce unnecessary failovers.

Redis database versions

Redis Enterprise Software version 8.0.2 includes five Redis database versions: 8.2, 8.0, 7.4, 7.2, and 6.2.

The default Redis database version is 8.2.

Redis feature sets

Redis Enterprise Software includes multiple feature sets, compatible with different Redis database versions.

The following table shows which Redis modules are compatible with each Redis database version included in this release.

Resolved issues

• RS156391: Fixed an issue where the job_scheduler's memory usage could increase significantly when the diagnostic logging service was enabled.

• RS132033: Fixed an issue where out-of-memory errors in the Lua interpreter prevented scripts from running Redis commands until the shard was restarted. This fix is included in Redis database version 7.2 and requires a database upgrade from earlier versions.

• RS153192: Updated the installer's minimum RAM requirement to 8 GB.

• RS159685: Fixed an issue with high DMC CPU usage after changing the primary node of a cluster that has Active-Active databases.

• RS160546: Fixed an issue where rladmin status extra all did not show available RAM.

• RS150592: Fixed an issue where connection errors were not automatically retried.

• RS161945: Fixed an issue where state machine logs showed a generic state machine ID instead of the descriptive state machine name when creating a database from persistence.

• RS160196: Fixed an issue where a node could be set as primary before completing the bootstrap process.

• RS153736: Fixed an issue where the PUBSUB SHARDNUMSUB command would not respond when called without arguments if the OSS Cluster API was enabled.

• RS163254: Fixed an issue where the policy update logs displayed inconsistent boolean value formats, mixing enabled/disabled and True/False.

• RS158250: Fixed an issue with Active-Active databases with search enabled where replica shards could crash after migration to a new node.

• RS164471: Fixed an issue where the script to generate self-signed certificates (generate_self_signed_certs.sh) failed on custom installations due to hard-coded file paths.

• RS164218: Fixed an issue where Speedb log files were not properly rotated and archived, causing logs to accumulate and consume disk space.

• RS162719: Fixed an issue where connection problems could prevent shards from restarting during failover and cause the failover process to become stuck.

• RS161589: Changed the installer answers file parameter from skip_updating_env_path to update_env_path to improve clarity and accuracy.

• RS161574: Fixed an issue where Active-Active database synchronization could fail when Lua scripts used certain read-only commands that accessed keys across multiple slots.

• RS160347: Made optimizations to reduce the heartbeatd service's memory usage.

• RS156394: Improved error messages when module commands are temporarily unavailable during cluster configuration changes.

• RS154815: Improved diagnostic reporting for connection issues when the maximum number of transactions is reached.

• RS147053: Fixed an issue where some system_reserved_ports were not displayed in the rladmin info cluster command output.

• RS114668: Fixed an issue where setting failure_detection_sensitivity with the bootstrap API did not automatically update watchdog_profile accordingly.

• RS163266: Fixed an issue where shard rebalancing could take excessive time when replicas were unresponsive due to high CPU load by reducing connection retry attempts from 300 to 5.

• RS162524: Fixed an issue where the DNS backend could fail with "too many open files" errors due to socket leaks.

• RS161547: Fixed an issue where nodes could fail to send messages related to state machines due to a timing issue between notification threads and management threads.

• RS155990: Fixed an issue where the forwarding_state field was missing from the endpoint schema.

• RS166307: Updated v2 Prometheus metric names to comply with naming conventions by changing the proxy_ prefix to endpoint_ for connections_rate, rate_limit_ok, rate_limit_overflows, accepted_connections, and dispatch_failures.

• RS164703: Improved diagnostic reporting for shard restart operations by adding PID logging before shutdown.

• RS152179: Reduced log noise by removing a harmless error message that appeared repeatedly in DMC proxy logs.

• RS132087: Fixed inconsistent node status reports between rladmin and the REST API.

• RS166878: Fixed legacy module_args mapping to handle boolean fields as TRUE/FALSE values instead of flags.

• RS166825: Fixed an issue where the Sentinel service could become unresponsive while processing certain commands due to a timing issue.

• RS162290: Fixed an issue where the node status API returned 0 instead of the actual provisional RAM and flash values if the node reached its shard limit.

• RS158251: Added a check to block new user creation after the maximum limit of 32,000 users has been reached to prevent DMC proxy crashes.

• RS166813: Fixed an issue where Lua incorrectly converted empty JSON arrays into empty JSON objects.

• RS166683: Fixed an issue where FT.DROPINDEX index DD deleted indexed keys on the local Active-Active database instance but failed to sync the deletions to instances in other participating clusters.

• RS162972: Fixed an issue where the REST API was only accessible from the primary node when certificate-based authentication was enabled.

• RS158972: Fixed an issue where certificate verification failed during node join and replace operations when internode encryption was enabled, causing connection errors until certificates were fetched from the primary node.

• RS123263: Fixed an issue where creating a new role with a specified UID failed with "A uid is already assigned" error.

• RS120420: Fixed an issue where rladmin cluster config incorrectly included quotes as part of the cipher suite value when updating control_cipher_suites configuration.

• RS170611: Fixed an issue where the generate_self_signed_certs.sh script incorrectly formatted wildcard certificate entries.

• RS167849: Fixed an issue where rlutil check incorrectly reported that existing databases did not exist.

• RS167199: Fixed an issue where the remove node action could become stuck during node decommissioning.

• RS166990: Fixed an issue where install logs were not included in support packages when installation or upgrade operations failed.

• RS166528: Improved error handling when verifying that a data file has been loaded.

• RS162973: Fixed an issue with shard failover where the shard failed to restart because its port was not released quickly enough after it crashed.

• RS166122: Fixed an issue where the actions API could incorrectly report state machine operations as running after they completed.

• RS171579: Fixed an issue where the new UI incorrectly added default_user: False when the default_user field was absent, causing connection issues.

Version changes

• POST /v1/cluster/actions/change_master REST API requests will no longer allow a node that exists but is not finished bootstrapping to become the primary node. Such requests will now return the status code 406 Not Acceptable.

• Node status now returns the actual provisional RAM and flash values even when the maximum number of shards on the node (max_redis_servers) is reached. Previously, the API returned 0 for provisional_ram_of_node and provisional_flash_of_node when a node reached its shard limit. This change affects REST API node status requests and the rladmin status nodes command's output.

Breaking changes

Redis database version 8 breaking changes

When new major versions of Redis Open Source change existing commands, upgrading your database to a new version can potentially break some functionality. Before you upgrade, read the provided list of breaking changes that affect Redis Software and update any applications that connect to your database to handle these changes.

ACL behavior changes

Before Redis 8, the existing ACL categories @read, @write, @dangerous, @admin, @slow, and @fast did not include commands for the Redis Query Engine and the JSON, time series, and probabilistic data structures.

Starting with Redis 8, Redis includes all Query Engine, JSON, time series, Bloom filter, cuckoo filter, top-k, count-min sketch, and t-digest commands in these existing ACL categories.

As a result:

• Existing ACL rules such as +@read +@write will allow access to more commands than in previous versions of Redis. Here are some examples:

  • A user with +@read access will be able to execute FT.SEARCH.

  • A user with +@write access will be able to execute JSON.SET.

• ACL rules such as +@all -@write will allow access to fewer commands than previous versions of Redis.

  • For example, a user with +@all -@write will not be able to execute JSON.SET.

  • Explicit inclusion of new command categories is required to maintain access. The new categories are: @search, @json, @timeseries, @bloom, @cuckoo, @topk, @cms, and @tdigest.

• ACL rules such as +@read +JSON.GET can now be simplified as +@read because JSON.GET is included in the @read category.

Note that the @all category did not change, as it always included all the commands.

Redis Query Engine changes

The following changes affect behavior and validation in the Redis Query Engine:

• Enforces validation for LIMIT arguments (offset must be 0 if limit is 0).

• Enforces parsing rules for FT.CURSOR READ and FT.ALIASADD.

• Parentheses are now required for exponentiation precedence in APPLY expressions.

• Invalid input now returns errors instead of empty results.

• Default values revisited for reducers like AVG, COUNT, SUM, STDDEV, QUANTILE, and others.

• Updates to scoring (BM25 is now the default instead of TF-IDF).

• Improved handling of expired records, memory constraints, and malformed fields.

Deprecations

API deprecations

• Deprecated the policy field for bootstrap REST API requests. Use PUT /v1/cluster/policy to change cluster policies after cluster creation instead.

• Deprecated the module_args field for database REST API requests. Use the new module configuration objects search, timeseries, and probabilistic instead.

Redis Query Engine deprecations

• Deprecated commands: FT.ADD, FT.SAFEADD, FT.DEL, FT.GET, FT.MGET, FT.SYNADD, FT.DROP, FT._DROPIFX, and FT.CONFIG.

• Deprecated FT.SEARCH options: GEOFILTER, FILTER, and NOSTOPWORDS.

• Deprecated vector search options: INITIAL_CAP and BLOCK_SIZE.

• Deprecated configuration parameters: WORKER_THREADS, MT_MODE, PRIVILEGED_THREADS_NUM, and GCSCANSIZE.

• Deprecated dialects: DIALECT 1, DIALECT 3, and DIALECT 4.

Internal monitoring and v1 Prometheus metrics deprecation

The existing internal monitoring engine is deprecated. We recommend transitioning to the new metrics stream engine for improved performance, enhanced integration capabilities, and modernized metrics streaming.

V1 Prometheus metrics are deprecated but still available. To transition to the new metrics stream engine, either migrate your existing dashboards using this guide or use new preconfigured dashboards.

As part of the transition to the metrics stream engine, some internal cluster manager alerts were deprecated in favor of external monitoring solutions. See the alerts transition plan for guidance.

Supported platforms

The following table provides a snapshot of supported platforms as of this Redis Enterprise Software release. See the supported platforms reference for more details about operating system compatibility.

✅ Supported – The platform is supported for this version of Redis Enterprise Software and Redis Stack modules.

⚠️ Deprecation warning – The platform is still supported for this version of Redis Enterprise Software, but support will be removed in a future release.

1. The RHEL-compatible distributions CentOS, CentOS Stream, Alma, and Rocky are supported if they have full RHEL compatibility. Oracle Linux running the Red Hat Compatible Kernel (RHCK) is supported, but the Unbreakable Enterprise Kernel (UEK) is not supported.

2. The server version of Ubuntu is recommended for production installations. The desktop version is only recommended for development deployments.

3. See the Redis Enterprise for Kubernetes documentation for details about support per version and Kubernetes distribution.

4. Docker images of Redis Enterprise Software are certified for development and testing only.

5. Supported only if FIPS was enabled during RHEL installation to ensure FIPS compliance.

Downloads

The following table shows the SHA256 checksums for the available packages:

Known issues

• RS131972: Creating an ACL that contains a line break in the Cluster Manager UI can cause shard migration to fail due to ACL errors.

• RS155734: Endpoint availability metrics do not work as expected due to a calculation error.

Known limitations

Rolling upgrade limitation for clusters with custom or deprecated modules

Due to module handling changes introduced in Redis Enterprise Software version 8.0, upgrading a cluster that contains custom or deprecated modules, such as RedisGraph and RedisGears v2, can become stuck when adding a new node to the cluster during a rolling upgrade.

Module commands limitation during Active-Active database upgrades to Redis 8.0

When upgrading an Active-Active database to Redis version 8.0, you cannot use module commands until all Active-Active database instances have been upgraded. Currently, these commands are not blocked automatically.

Redis 8.0 database cannot be created with flash

You cannot create a Redis 8.0 database with flash storage enabled. Create a Redis 8.0 database with RAM-only storage instead, or use Redis 8.2 for flash-enabled (Redis Flex) databases.

New Cluster Manager UI limitations

The following legacy UI features are not yet available in the new Cluster Manager UI:

• Purge an Active-Active instance.

  Use crdb-cli crdb purge-instance instead.

• Search and export the log.

Security

Redis Open Source security fixes compatibility

As part of Redis's commitment to security, Redis Enterprise Software implements the latest security fixes available with Redis Open Source. Redis Enterprise Software has already included the fixes for the relevant CVEs.

Some CVEs announced for Redis Open Source do not affect Redis Enterprise Software due to different or additional functionality available in Redis Enterprise Software that is not available in Redis Open Source.

Redis Enterprise Software 8.0.2-17 supports Redis Open Source 8.2, 8.0, 7.4, 7.2, and 6.2. Below is the list of Redis Open Source CVEs fixed by version.

Redis 8.2.x:

• (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.

• (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.

• (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.

• (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.

Redis 8.0.x:

• (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.

• (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.

• (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.

• (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.

Redis 7.4.x:

• (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.

• (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.

• (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.

• (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.

• (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution.

• (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service.

Redis 7.2.x:

• (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.

• (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.

• (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.

• (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.

• (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution.

• (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service.

• (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution.

• (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes.

• (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.

• (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.2.1)

Redis 7.0.x:

• (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution.

• (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes.

• (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.

• (CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.0.13)

• (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules. (Redis 7.0.12)

• (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 7.0.11)

• (CVE-2023-28425) Specially crafted MSETNX commands can lead to assertion and denial-of-service. (Redis 7.0.10)

• (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 7.0.9)

• (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service. (Redis 7.0.8)

• (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis can cause it to hang and consume 100% CPU time. (Redis 7.0.9)

• (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 7.0.8)

• (CVE-2022-35951) Executing an XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.5)

• (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream key in a specific state may result in heap overflow and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.4)

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 7.0.12)

• (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the redis-server process. This issue affects all versions of Redis. (Redis 7.0.0)

• (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 7.0.0)

Redis 6.2.x:

• (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.

• (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.

• (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.

• (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.

• (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution.

• (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service.

• (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution.

• (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes.

• (CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access. (Redis 6.2.12)

• (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.2.11)

• (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service. (Redis 6.2.9)

• (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis can cause it to hang and consume 100% CPU time. (Redis 6.2.11)

• (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic. (Redis 6.2.9)

• (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.2.13)

• (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the redis-server process. This issue affects all versions of Redis. (Redis 6.2.7)

• (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 6.2.7)

• (CVE-2021-41099) Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured to a non-default, very large value. (Redis 6.2.6)

• (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms. (Redis 6.2.6)

• (CVE-2021-32761) An integer overflow bug in Redis version 2.2 or newer can be exploited using the BITFIELD command to corrupt the heap and potentially result with remote code execution. (Redis 6.2.5)

• (CVE-2021-32687) Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value. (Redis 6.2.6)

• (CVE-2021-32675) Denial Of Service when processing RESP request payloads with a large number of elements on many connections. (Redis 6.2.6)

• (CVE-2021-32672) Random heap reading issue with Lua Debugger. (Redis 6.2.6)

• (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value. (Redis 6.2.6)

• (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit. (Redis 6.2.6)

• (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer overflow. (Redis 6.2.6)

• (CVE-2021-32625) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. (Redis 6.2.4)

• (CVE-2021-29478) An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2). (Redis 6.2.3)

• (CVE-2021-29477) An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0. (Redis 6.2.3)