Critical Redis Remote Code Execution Flaw (CNVD‑2019‑21763): Risks & Fixes

Security announcement number: CNTA-2019-0024

On July 10, 2019, the National Vulnerability Database (CNVD) recorded a Redis remote command execution vulnerability (CNVD-2019-21763). Attackers can execute arbitrary code without authentication, gaining full server privileges. The exploit details are publicly known, and no official patch has been released.

1. Vulnerability Analysis

Redis is an open‑source, in‑memory key‑value database written in ANSI C, supporting network access and persistence. Starting with Redis 4.x, a module system allows loading external .so files as new commands. An attacker can exploit this feature to load a malicious module via an unauthenticated connection, achieving remote code execution.

The vulnerability is rated “high” by CNVD.

2. Affected Versions

Redis 2.x, 3.x, 4.x, 5.x

3. Mitigation Recommendations

Since no official patch is available, apply the following temporary measures:

Block external access to the Redis service port.

Do not run Redis with root privileges.

Configure security groups to restrict which IP addresses can connect to the Redis server.

Operators should audit their Redis deployments and apply the above mitigations promptly.

Reference: https://paper.seebug.org/975/