Hi, On Wed, Jul 23, 2025 at 12:49:16PM -0700, Chris Lamb wrote: > [adding #1107211 to CC] > > Paul Gevers wrote: > > > With this version, isn't CVE-2025-49112 also fixed? > > No, not yet. Or, rather: I'm still either awaiting an upstream "fix" > and/or waiting for upstream to determine whether it truly is a > vulnerability at all: > > https://github.com/redis/redis/issues/14199#issuecomment-3076467634
It is correct that redis upstream vs valkey does classify the issue differently. I think it's perfectly fine to leave this for redis unpatched until upstream either say they won't fix it at all or apply the hardening. valkey has a CVE assigned, but it is defintively low severity. Regards, Salvatore
