PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-67733 valkey-io CVE debrief

CVE-2025-67733 is a high-severity vulnerability in the Valkey distributed key-value database. Malicious users can inject arbitrary information into the response stream for a given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for Lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. This vulnerability has a CVSS score of 8.5 and is considered high severity. The vulnerability was published on February 23, 2026, and last modified on June 30, 2026.

Vendor
valkey-io
Product
valkey
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-23
Original CVE updated
2026-06-30
Advisory published
2026-02-23
Advisory updated
2026-06-30

Who should care

Users of the Valkey distributed key-value database should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of Valkey (9.0.2, 8.1.6, 8.0.7, or 7.2.12) and ensuring that Lua scripts are properly validated. Organizations using Valkey should prioritize patching this vulnerability to prevent potential data tampering.

Technical summary

The vulnerability in Valkey allows a malicious user to inject arbitrary information into the response stream for a given client. This can be done using scripting commands, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for Lua scripts does not properly handle null characters, allowing for the injection of arbitrary data. The vulnerability is fixed in versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H.

Defensive priority

High priority should be given to patching this vulnerability. Organizations using Valkey should upgrade to a patched version (9.0.2, 8.1.6, 8.0.7, or 7.2.12) as soon as possible. In addition, defenders should review Lua scripts used in their Valkey deployments to ensure they are properly validated.

Recommended defensive actions

  • Upgrade to a patched version of Valkey (9.0.2, 8.1.6, 8.0.7, or 7.2.12)
  • Review Lua scripts used in Valkey deployments to ensure they are properly validated
  • Monitor Valkey logs for suspicious activity
  • Implement additional security controls to prevent data tampering
  • Perform regular security audits and vulnerability assessments

Evidence notes

The CVE record for CVE-2025-67733 was published on February 23, 2026, and last modified on June 30, 2026. The NVD detail page for CVE-2025-67733 provides additional information on the vulnerability. A vendor advisory is available on the GitHub security advisories page. Red Hat has also published errata related to this vulnerability (RHSA-2026:3443, RHSA-2026:3507, RHSA-2026:5445).

Official resources

This article is AI-assisted and based on the supplied source corpus.