Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing response desynchronization in connection-pool clients. This vulnerability is fixed in 1.39.9.
CVSS
No CVSS.
References
Configurations
No configuration.
History
26 Jun 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 18:16
Updated : 2026-06-26 20:20
NVD link : CVE-2026-47206
Mitre link : CVE-2026-47206
CVE.ORG link : CVE-2026-47206
JSON object : View
Products Affected
No product.
CWE
CWE-116
Improper Encoding or Escaping of Output
