Hi
valkey fixed CVE-2025-49112 via https://github.com/valkey-io/valkey/pull/2101 and upstream commit https://github.com/valkey-io/valkey/commit/374718b2a365ca69f715d542709b7d71540b1387
The same issue should apply as well to redis.
Comment From: sundb
IMHO, this is merely defensive programming, not a genuine vulnerability.
Comment From: oranagra
i agree.
prev->used can't possibly be greater than prev-size.
and thus, even if we enter that if excessively, nothing bad will happen.
Comment From: XtremeOwnageDotCom
IMHO, this is merely defensive programming, not a genuine vulnerability.
The vast majority of vulnerabilities, aren't vulnerabilities. Most of them are, "Default configuration does not require authentication".
Vulnerabilities, are tracked here: https://nvd.nist.gov/vuln
Actively exploited vulnerabilities, are tracked here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=Mozilla&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
Most cyber attacks, aren't from a single CVE, but, rather many vulnerabilities combined.
Like, a simple bug which allows viewing access to something you shouldn't see (but, doesn't give actual access to it). Like an admin page.
And then another small bug, that allows anyone on the admins page, to run a sql injection.
And then, a bug, or default configuration in the database, which allows obtaining shell access from the bad query.
And then another bug inside of a random daemon, which allows root privilege escalation, but, only for anyone locally logged into the PC.
And then through lots of very small, minor bugs, which aren't at all an issue- (Because you know- only admins can log into the server, and only admins can view the admin page), you end up with a full system takeover.
IMHO, this is merely defensive programming, not a genuine vulnerability.
So, from a strict security posture, I'd recommend evaluating how you are looking at these issues.
All it takes, is a few other minor issues, and voila. a big issue.
Comment From: oranagra
Vulnerabilities, are tracked here: Actively exploited vulnerabilities, are tracked here All it takes, is a few other minor issues, and voila. a big issue.
i agree. but this issue isn't an issue (not a inevitability, and not an actively exploited one), there's no code flow that can lead to it being an issue.
it's about defensive programming, like placing extra checks and assertions that can't possibly happen. an extreme example could be int a = 1; assert(a);.
in any case, i don't at all object to "fixing" that code to be "safer", but i object calling it a security issue, mentioning it in the release notes (like fixing dead code), and trolling the users to rush and upgrade.