CVE-2025-29923: Out-of-Order Responses in go-redis Versions Prior to 9.5.5, 9.6.3, and 9.7.3

Description: go-redis, the official Redis client library for the Go programming language, has a vulnerability that could potentially cause out-of-order responses in its versions prior to 9.5.5, 9.6.3, and 9.7.3. This vulnerability occurs when CLIENT SETINFO times out during connection establishment.

The problem occurs for multiple use cases

1. For sticky connections: You receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses.

2. When used with the default ConnPool: Once a connection is returned after use with ConnPool#Put, the read buffer will be checked, and the connection will be marked as bad due to the unread data. This means that there will be at most one out-of-order response before the connection is discarded.

This issue is fixed in go-redis versions 9.5.5, 9.6.3, and 9.7.3. Users are advised to update their go-redis library to one of these patched versions.

Preventing the Vulnerability

You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance as shown in the following code snippet:

package main

import (
	"github.com/go-redis/redis/v8"
)

func main() {
	client := redis.NewClient(&redis.Options{
		Addr:            "localhost:6379",
		DisableIndenity: true,
	})

	//... use the client
}

Links to Original References

1. go-redis Official Repository
2. Release Notes for 9.5.5, 9.6.3, and 9.7.3

Exploit Details

This vulnerability occurs when the go-redis client is configured to transmit its identity, there are network connectivity issues, or the client is configured with aggressive timeouts. When the CLIENT SETINFO command times out during connection establishment, the library could respond out of order.

An attacker may exploit this vulnerability to potentially cause incorrect data to be returned to an application or system utilizing the go-redis library, leading to potential data corruption or other unintended consequences.

It is highly recommended to update to one of the patched go-redis versions (9.5.5, 9.6.3, or 9.7.3) or set the DisableIndenity flag to true as a mitigation strategy.

Timeline

Published on: 03/20/2025 18:15:19 UTC