CVE-2025-29923 (GCVE-0-2025-29923)

Vulnerability from cvelistv5 – Published: 2025-03-20 18:03 – Updated: 2025-03-20 19:43
VLAI
Title
go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment
Summary
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.
Severity
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
redis go-redis Affected: >= 9.7.0-beta.1, < 9.7.3
Affected: >= 9.6.0b1, < 9.6.3
Affected: >= 9.5.1, < 9.5.5
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-29923",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T19:43:05.478582Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T19:43:13.663Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-redis",
          "vendor": "redis",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 9.7.0-beta.1, \u003c 9.7.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.6.0b1, \u003c 9.6.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.5.1, \u003c 9.5.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T18:03:14.933Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7"
        },
        {
          "name": "https://github.com/redis/go-redis/pull/3295",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/redis/go-redis/pull/3295"
        },
        {
          "name": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6"
        }
      ],
      "source": {
        "advisory": "GHSA-92cp-5422-2mw7",
        "discovery": "UNKNOWN"
      },
      "title": "go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-29923",
    "datePublished": "2025-03-20T18:03:14.933Z",
    "dateReserved": "2025-03-12T13:42:22.136Z",
    "dateUpdated": "2025-03-20T19:43:13.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-29923",
      "date": "2026-06-04",
      "epss": "0.00158",
      "percentile": "0.36391"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-29923\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-20T18:15:19.230\",\"lastModified\":\"2025-03-20T18:15:19.230\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.\"},{\"lang\":\"es\",\"value\":\"go-redis es la librer\u00eda cliente oficial de Redis para el lenguaje de programaci\u00f3n Go. En versiones anteriores a las 9.5.5, 9.6.3 y 9.7.3, go-redis pod\u00eda responder de forma incorrecta cuando se agotaba el tiempo de espera de `CLIENT SETINFO` durante el establecimiento de la conexi\u00f3n. Esto puede ocurrir cuando el cliente est\u00e1 configurado para transmitir su identidad, existen problemas de conectividad de red o se configur\u00f3 con tiempos de espera agresivos. El problema se presenta en varios casos de uso. En conexiones persistentes, se reciben respuestas incorrectas persistentes durante la vida \u00fatil de la conexi\u00f3n. Todos los comandos en la canalizaci\u00f3n reciben respuestas incorrectas. Al usar el ConnPool predeterminado, una vez que se devuelve una conexi\u00f3n despu\u00e9s de usar ConnPool#Put, se revisa el b\u00fafer de lectura y la conexi\u00f3n se marca como incorrecta debido a los datos no le\u00eddos. Esto significa que se recibe como m\u00e1ximo una respuesta incorrecta antes de que se descarte la conexi\u00f3n. Este problema se solucion\u00f3 en las versiones 9.5.5, 9.6.3 y 9.7.3. Puede evitar la vulnerabilidad estableciendo el indicador DisableIndentity en verdadero al construir la instancia del cliente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/redis/go-redis/pull/3295\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-20\", \"lang\": \"en\", \"description\": \"CWE-20: Improper Input Validation\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7\"}, {\"name\": \"https://github.com/redis/go-redis/pull/3295\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/redis/go-redis/pull/3295\"}, {\"name\": \"https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6\"}], \"affected\": [{\"vendor\": \"redis\", \"product\": \"go-redis\", \"versions\": [{\"version\": \"\u003e= 9.7.0-beta.1, \u003c 9.7.3\", \"status\": \"affected\"}, {\"version\": \"\u003e= 9.6.0b1, \u003c 9.6.3\", \"status\": \"affected\"}, {\"version\": \"\u003e= 9.5.1, \u003c 9.5.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-20T18:03:14.933Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.\"}], \"source\": {\"advisory\": \"GHSA-92cp-5422-2mw7\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-29923\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-20T19:43:05.478582Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-20T19:43:09.152Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-29923\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-03-12T13:42:22.136Z\", \"datePublished\": \"2025-03-20T18:03:14.933Z\", \"dateUpdated\": \"2025-03-20T19:43:13.663Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.