{ "schema_version": "1.4.0", "id": "GHSA-92cp-5422-2mw7", "modified": "2025-03-20T18:49:59Z", "published": "2025-03-20T18:49:59Z", "aliases": [ "CVE-2025-29923" ], "summary": "go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment", "details": "### Impact\n\nThe issue only occurs when the `CLIENT SETINFO` command times out during connection establishment. The following circumstances can cause such a timeout:\n\n1. The client is configured to transmit its identity. This can be disabled via the `DisableIndentity` flag.\n2. There are network connectivity issues\n3. The client was configured with aggressive timeouts\n\nThe impact differs by use case:\n\n* **Sticky connections**: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection.\n* **Pipelines**: All commands in the pipeline receive incorrect responses.\n* **Default connection pool usage without pipelining**: When used with the default [ConnPool](https://github.com/redis/go-redis/blob/8fadbef84a3f4e7573f8b38e5023fd469470a8a4/internal/pool/pool.go#L77) once a connection is returned after use with [ConnPool#Put](https://github.com/redis/go-redis/blob/8fadbef84a3f4e7573f8b38e5023fd469470a8a4/internal/pool/pool.go#L366) the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded.\n\n### Patches\nWe prepared a fix in https://github.com/redis/go-redis/pull/3295 and plan to release patch versions soon.\n\n### Workarounds\nYou can prevent the vulnerability by setting the flag `DisableIndentity` (BTW: We also need to fix the spelling.) to `true` when constructing the client instance.\n\n### Credit\n\nAkhass Wasti\nRamin Ghorashi\nAnton Amlinger\nSyed Rahman\nMahesh Venkateswaran\nSergey Zavoloka\nAditya Adarwal\nAbdulla Anam\nAbd-Alhameed\nAlex Vanlint\nGaurav Choudhary\nVedanta Jha\nYll Kelani\nRyan Picard", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/redis/go-redis/v9" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.7.0-beta.1" }, { "fixed": "9.7.3" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/redis/go-redis/v9" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.6.0b1" }, { "fixed": "9.6.3" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/redis/go-redis/v9" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.5.1" }, { "fixed": "9.5.5" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29923" }, { "type": "WEB", "url": "https://github.com/redis/go-redis/pull/3295" }, { "type": "WEB", "url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6" }, { "type": "PACKAGE", "url": "https://github.com/redis/go-redis" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-03-20T18:49:59Z", "nvd_published_at": "2025-03-20T18:15:19Z" } }