How serious is CVE-2025-67733?

This vulnerability has a CVSS score of 7.1 out of 10, classified as HIGH severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2025-67733?

Yes, proof-of-concept exploit code for CVE-2025-67733 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2025-67733?

CVE-2025-67733 affects lfprojects valkey. Check the full CVE details for specific version information.

How do I fix CVE-2025-67733?

To remediate CVE-2025-67733, check for security patches from lfprojects. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2025-67733

High

|7.1

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows a malicious user to inject harmful data into the responses sent to clients, which can corrupt or alter the information other users receive on the same connection. It affects specific versions of the Valkey database, and the issue arises from improper handling of errors in scripting commands.

Technical Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactLow

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$1,211($1K-$5K)

Vendor Response

Grade APatched in 1 day

Quick Information

Published

Feb 23, 2026

about 1 month ago

Last Modified

Feb 25, 2026

about 1 month ago

Vendor

lfprojects

Product

valkey

Related Vulnerabilities

CVE-2026-27623High

An attacker with network access to the Valkey database can send a specially crafted request that causes the system to crash, disrupting service. This vulnerability affects versions 9.0.0 to 9.0.2, so it's crucial to upgrade to version 9.0.3 or ensure that only trusted users can access the system.

CVE-2026-21863High

An attacker with access to the Valkey database's clusterbus port can send a specially crafted packet that may crash the system, disrupting service. To exploit this vulnerability, the attacker must already have access to the clusterbus, so it's crucial to restrict access with proper network controls.

CVE-2025-66416High

An attacker can exploit a flaw in the MCP Python SDK to send unauthorized requests to a local server running without authentication, potentially accessing sensitive resources or executing commands on behalf of the user. This vulnerability occurs only if the server is set up on localhost without proper security measures, making it critical to avoid running such servers without authentication.

CVE-2025-66414High

An attacker can exploit this vulnerability to send unauthorized requests to a local MCP server running on a user's machine, potentially accessing sensitive resources or tools. This can happen if the server is running without authentication on localhost and does not have DNS rebinding protection enabled, which is a risky setup that should be avoided.