CVE-2025-21605 is a high-severity vulnerability affecting Redis, an open-source in-memory database widely used for caching, message brokering, and real-time data processing. The vulnerability arises from the lack of limits or throttling on the output buffer size for client connections in Redis versions from 2.6 up to, but not including, 7.4.3. Specifically, an unauthenticated client can cause the output buffer to grow without bounds by repeatedly triggering server responses, such as "NOAUTH" messages when password authentication is enabled but no password is provided. This unchecked growth eventually exhausts server memory, leading to denial of service (DoS) as Redis becomes unresponsive or crashes. The root cause is classified under CWE-770: Allocation of Resources Without Limits or Throttling. By default, Redis does not impose limits on the output buffer for normal clients, making this attack feasible without authentication or user interaction. The vulnerability has been addressed in Redis version 7.4.3. Until patching, mitigation involves restricting unauthenticated access via network controls (firewalls, iptables, security groups) or enabling TLS with client certificate authentication to prevent unauthorized connections. No known exploits are reported in the wild yet, but the ease of exploitation and the critical impact on availability make this a significant threat to Redis deployments.

For European organizations relying on Redis for critical infrastructure such as web applications, financial services, telecommunications, or government services, this vulnerability poses a substantial risk of service disruption. An attacker can remotely trigger a denial of service by exhausting server memory, potentially causing downtime, degraded performance, or cascading failures in dependent systems. This can affect data availability and operational continuity, especially in environments where Redis is used as a caching layer or message broker. Since no authentication is required, attackers can exploit exposed Redis instances accessible over the network. The impact is particularly severe for organizations with Redis servers exposed to untrusted networks or insufficiently segmented internal networks. Additionally, sectors with strict uptime requirements and regulatory compliance obligations (e.g., finance, healthcare, public sector) may face operational and reputational damage. The vulnerability does not compromise confidentiality or integrity directly but can indirectly affect business processes and service reliability.

1. Upgrade Redis to version 7.4.3 or later, where this vulnerability is patched. 2. Immediately restrict network access to Redis instances by implementing strict firewall rules, iptables configurations, or cloud security groups to allow connections only from trusted hosts and networks. 3. Enable TLS encryption and require client-side certificate authentication to prevent unauthenticated access. 4. Configure Redis's client-output-buffer-limit settings to impose strict limits on output buffer sizes for all client classes, including normal clients, to prevent unbounded memory growth. 5. Regularly audit Redis server configurations and network exposure to ensure no unauthorized access paths exist. 6. Monitor Redis server memory usage and logs for unusual spikes or repeated "NOAUTH" responses that may indicate attempted exploitation. 7. Consider deploying Redis behind VPNs or private networks inaccessible from the public internet. 8. Educate system administrators about the risks of exposing Redis without authentication and the importance of applying security best practices.