CVE-2025-62507 HIGH

CVE-2025-62507: Redis: Bug in XACKDEL may lead to stack overflow and potential RCE

Vendor Redis

Product redis

Weakness CWE-20 · Input validation

Published November 4, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.

Key dates

02Disclosure timeline

November 4, 2025 CVE published

February 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-62507

Related vulnerabilities

CVE-2025-62507: Redis: Bug in XACKDEL may lead to stack overflow and potential RCE

01Description

02Disclosure timeline

03References

04Related CVE