关联漏洞
标题:
Redis 安全漏洞
(CVE-2025-32023)
描述:Redis是美国Redis公司的一套开源的使用ANSI C编写、支持网络、可基于内存亦可持久化的日志型、键值(Key-Value)存储数据库,并提供多种语言的API。 Redis存在安全漏洞,该漏洞源于超日志操作可能导致堆栈或堆越界写入,可能导致远程代码执行。以下版本受到影响:2.8版本至8.0.3版本、7.4.5版本、7.2.10版本和6.2.19之前版本。
描述
CVE-2025-32023
介绍
# CVE-2025-32023 - Redis Remote Code Execution (RCE) 🚨
## 🧠 Overview:
A **critical RCE vulnerability** affecting Redis (< 7.2.4), where attackers can **load malicious modules** using the `MODULE LOAD` command.
## 🕳️ Vulnerability Type:
Remote Code Execution (RCE)
## 💥 **Impact:**
An **unauthenticated attacker** can execute arbitrary code and gain full control of the Redis server.
## 🔓 **Requirements for Exploitation:**
* Redis is **exposed to the internet** 🌍
* No **authentication** is set (no `requirepass` or ACLs) ❌
* Attacker has **write access** to Redis 📝
## 🛠️ **Attack Steps:**
1. Upload malicious `.so` (shared object) file to the Redis server.
2. Use the `MODULE LOAD` command to load the module.
3. Achieve **remote code execution** 💣
## 🧪 **Tested On:**
Redis 7.2.3 and below
## 🚫 **Not Affected:**
Redis **7.2.4 and above**
## 🛡️ Mitigation Steps:
* ✅ Upgrade to **Redis 7.2.4+**
* 🔐 Use **ACLs** or set a strong `requirepass`
* 🧱 Block external access via **firewall**
* 📛 Disable `MODULE LOAD` if not needed
## ⚠️ Security Tip:
Never expose Redis directly to the internet without proper authentication, ACLs, and network restrictions. Redis is **meant to be internal**.
🧩 **CVSS Score:** 9.8 (Critical)
🧬 **Discovered By:** Security researchers in early 2025.
---
文件快照
[4.0K] /data/pocs/b83c72f059b35d6780cc61c3b33b298061e90f00
├── [ 561] CVE-2025-32023.py
├── [1.3K] README.md
└── [4.9K] solver-CVE-2025-32023.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。