Valkey: Malicious Data Injection via Lua Scripting

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.5

Valkey: Malicious Data Injection via Lua Scripting

CVE-2025-67733 GHSA-p876-p7q5-hv2m

Summary

A security issue in Valkey's scripting system allows an attacker to inject malicious data into the system, potentially affecting other users on the same connection. This is fixed in versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12. Upgrade to a patched version to ensure the security of your data.

Original title

Valkey Affected by RESP Protocol Injection via Lua error_reply

Original description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

osv CVSS3.1 8.5

Vulnerability type

CWE-74 Injection

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67733... Vendor Advisory
https://github.com/valkey-io/valkey/security/advisories/GHSA-p876-p7q5-hv2m Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2025-67733 Vendor Advisory

Published: 23 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026