CVE-2025-29923: go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment

March 20, 2025

The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout:

The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag.
There are network connectivity issues
The client was configured with aggressive timeouts

The impact differs by use case:

References

github.com/advisories/GHSA-92cp-5422-2mw7
github.com/redis/go-redis
github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6
github.com/redis/go-redis/pull/3295
github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7
nvd.nist.gov/vuln/detail/CVE-2025-29923

Code Behaviors & Features

Detect and mitigate CVE-2025-29923 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →