CVE-2025-46686
3.5
LOW
CVSS 3.1
EPSS 0.17%
Description
Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model.
How to fix CVE-2025-46686
To remediate CVE-2025-46686, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 8.0.4 or later
- —upgrade to 8.0.4 or later
- —no fix listed
Is CVE-2025-46686 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, <= 8.0.3
- from 0, < 8.0.4
- from 0, < 8.0.4
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.5 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |