CVE-2025-67733

high

Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

References

https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-67733.json

https://github.com/valkey-io/valkey/security/advisories/GHSA-p876-p7q5-hv2m

https://bugzilla.redhat.com/show_bug.cgi?id=2442025

https://access.redhat.com/security/cve/CVE-2025-67733

https://access.redhat.com/errata/RHSA-2026:5445

https://access.redhat.com/errata/RHSA-2026:3507

https://access.redhat.com/errata/RHSA-2026:3443

Details

Source: Mitre, NVD

Published: 2026-02-23

Updated: 2026-07-15

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:C

Severity: High

CVSS v3

Base Score: 7.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Severity: High

EPSS

EPSS: 0.0002