CVE-2025-67733 is a vulnerability classified under CWE-74, involving improper neutralization of special elements in output used by downstream components, specifically in the valkey distributed key-value database. The issue exists in the error handling code for Lua scripts, which fails to properly handle null characters. This flaw enables a malicious user to inject arbitrary information into the response stream sent to clients over the same connection. The injection can lead to data corruption or tampering, affecting the integrity and availability of the database responses. The vulnerability affects multiple version ranges of valkey prior to 7.2.12, 8.0.7, 8.1.6, and 9.0.2, where the issue has been fixed. Exploitation requires network access and limited privileges but no user interaction, making it relatively easy to exploit in environments where attackers have some scripting capability. The vulnerability does not directly expose confidential data but can disrupt service and corrupt data returned to clients. The CVSS 3.1 score of 8.5 reflects a high severity with network attack vector, low attack complexity, and partial impact on integrity and high impact on availability. No public exploits have been reported yet, but the potential for damage in multi-tenant or shared connection environments is significant.

The primary impact of CVE-2025-67733 is on data integrity and availability within valkey database deployments. Attackers can inject arbitrary data into the response stream, potentially causing data corruption or delivering tampered responses to legitimate users sharing the same connection. This can undermine trust in the database's data accuracy and disrupt dependent applications or services. Organizations relying on valkey for critical data storage or distributed caching may experience service degradation or incorrect data processing, leading to operational disruptions. While confidentiality is not directly impacted, the integrity and availability issues can cascade into broader business risks, including compliance violations if data integrity is mandated. Multi-tenant environments or those with shared client connections are particularly vulnerable, as injected data can affect multiple users. The ease of exploitation combined with network accessibility and limited privilege requirements increases the threat level for organizations using affected valkey versions.

To mitigate CVE-2025-67733, organizations should immediately upgrade valkey to the fixed versions 7.2.12, 8.0.7, 8.1.6, or 9.0.2 depending on their current deployment version. Beyond patching, administrators should restrict scripting capabilities and limit the use of Lua scripts to trusted users only, reducing the attack surface. Network segmentation and strict access controls should be implemented to limit exposure of valkey instances to untrusted networks or users. Monitoring and logging of unusual scripting commands or response anomalies can help detect attempted exploitation. Additionally, validating and sanitizing all inputs and outputs at the application layer interacting with valkey can provide an extra layer of defense. Organizations should also review connection sharing policies to minimize multi-user connections that could amplify the impact of injection attacks. Finally, conducting regular security assessments and code reviews of custom scripts interacting with valkey can prevent similar injection flaws.