CVE-2025-49112

Description

setDeferredReply in networking.c in Valkey through 8.1.1 has an integer underflow for prev->size - prev->used.

How to fix CVE-2025-49112

To remediate CVE-2025-49112, upgrade the affected package to a fixed version below.

• Bitnami/keydb—no fix listed
• Bitnami/redis—no fix listed
• Bitnami/valkey—upgrade to 8.1.4 or later
• —upgrade to 7.3.5+ds-1 or later
• —no fix listed
• —upgrade to 8.1.1+dfsg1-2 or later

Is CVE-2025-49112 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 8.1.4
• from 0, < 7.3.5+ds-1
• from 0
• from 0, < 8.1.1+dfsg1-2

CVSS scores

References (6)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-49112
• WEBgithub.com/redis/redis/blob/994bc96bb1744cb153392fc96bdba43eae56e17f/src/networking.c#L783
• WEBgithub.com/redis/redis/issues/14199
• WEBgithub.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886