CRE-2025-0174

Redis Authentication Failures and ACL Permission DenialsCritical

Impact: 7/10

Mitigation: 8/10

CRE-2025-0174View on GitHub

RedisAuthenticationSecurityACLWrong Password

Description

Detects Redis authentication failures including wrong passwords, missing authentication, and ACL permission denials. These errors prevent legitimate clients from accessing Redis and may indicate security misconfigurations or attempted unauthorized access.\n

Mitigation

IMMEDIATE ACTIONS:\n- Verify Redis auth configuration: `redis-cli CONFIG GET requirepass`\n- Test authentication: `redis-cli -a ‹password› ping`\n- Check ACL users: `redis-cli ACL LIST`\n- Review client connection strings for correct credentials\n\nRECOVERY:\n- Update client password configuration\n- Reset Redis password if needed:\n `redis-cli CONFIG SET requirepass newpassword`\n- Fix ACL permissions for user:\n `redis-cli ACL SETUSER username +@all`\n- Disable auth temporarily (UNSAFE):\n `redis-cli CONFIG SET requirepass ""`\n\nACL TROUBLESHOOTING:\n- List user permissions: `redis-cli ACL GETUSER username`\n- Grant specific command access:\n `redis-cli ACL SETUSER username +get +set +del`\n- Create new user with full access:\n `redis-cli ACL SETUSER newuser on ›password +@all`\n\nPREVENTION:\n- Use environment variables for passwords\n- Implement proper secret management\n- Regular password rotation with coordination\n- Monitor authentication failure rates\n- Use ACL for fine-grained access control\n- Document authentication requirements\n

References

• https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/
• https://redis.io/commands/auth/
• https://redis.io/docs/latest/operate/oss_and_stack/management/security/