CVE-2025-26268

DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. The validity of the scan cursor was not checked.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dragonflydb/dragonfly/commit/d1fac0f912edb323a2bdd6404c518cda21eac243	Patch
https://github.com/dragonflydb/dragonfly/compare/v1.26.4...v1.27.0	Patch Release Notes
https://github.com/dragonflydb/dragonfly/issues/4466	Exploit Issue Tracking
https://github.com/dragonflydb/dragonfly/issues/4466	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:dragonflydb:dragonfly:*:*:*:*:*:*:*:*

History

25 Apr 2025, 16:33

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
First Time		Dragonflydb Dragonflydb dragonfly
CPE		cpe:2.3:a:dragonflydb:dragonfly::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/dragonflydb/dragonfly/compare/v1.26.4...v1.27.0 -~~	() https://github.com/dragonflydb/dragonfly/compare/v1.26.4...v1.27.0 - Patch, Release Notes
References	~~() https://github.com/dragonflydb/dragonfly/commit/d1fac0f912edb323a2bdd6404c518cda21eac243 -~~	() https://github.com/dragonflydb/dragonfly/commit/d1fac0f912edb323a2bdd6404c518cda21eac243 - Patch
References	~~() https://github.com/dragonflydb/dragonfly/issues/4466 -~~	() https://github.com/dragonflydb/dragonfly/issues/4466 - Exploit, Issue Tracking

17 Apr 2025, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-17 18:15

Updated : 2025-04-25 16:33

NVD link : CVE-2025-26268

Mitre link : CVE-2025-26268

JSON object : View

Products Affected

dragonflydb

dragonfly

CWE

NVD-CWE-noinfo

6.5 /10