CVE-2025-29923

{"id": "CVE-2025-29923", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2025-03-20T18:15:19.230", "references": [{"url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6", "source": "security-advisories@github.com"}, {"url": "https://github.com/redis/go-redis/pull/3295", "source": "security-advisories@github.com"}, {"url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance."}, {"lang": "es", "value": "go-redis es la librer\u00eda cliente oficial de Redis para el lenguaje de programaci\u00f3n Go. En versiones anteriores a las 9.5.5, 9.6.3 y 9.7.3, go-redis pod\u00eda responder de forma incorrecta cuando se agotaba el tiempo de espera de `CLIENT SETINFO` durante el establecimiento de la conexi\u00f3n. Esto puede ocurrir cuando el cliente est\u00e1 configurado para transmitir su identidad, existen problemas de conectividad de red o se configur\u00f3 con tiempos de espera agresivos. El problema se presenta en varios casos de uso. En conexiones persistentes, se reciben respuestas incorrectas persistentes durante la vida \u00fatil de la conexi\u00f3n. Todos los comandos en la canalizaci\u00f3n reciben respuestas incorrectas. Al usar el ConnPool predeterminado, una vez que se devuelve una conexi\u00f3n despu\u00e9s de usar ConnPool#Put, se revisa el b\u00fafer de lectura y la conexi\u00f3n se marca como incorrecta debido a los datos no le\u00eddos. Esto significa que se recibe como m\u00e1ximo una respuesta incorrecta antes de que se descarte la conexi\u00f3n. Este problema se solucion\u00f3 en las versiones 9.5.5, 9.6.3 y 9.7.3. Puede evitar la vulnerabilidad estableciendo el indicador DisableIndentity en verdadero al construir la instancia del cliente."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security-advisories@github.com"}