Summary
An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed.
Patches
By default, Valkey configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable.
When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory.
The problem exists in all versions of Valkey.
Workarounds
A workaround to mitigate this problem without patching the valkey executable is to block access to limit the output buffer limit, with client-output-buffer-limit normal <hard limit> <soft limit> <soft seconds>.
Credit
The problem was reported by Tiezhen Zhang([email protected]) and Hanyang Jin([email protected]).
Summary
An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed.
Patches
By default, Valkey configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable.
When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory.
The problem exists in all versions of Valkey.
Workarounds
A workaround to mitigate this problem without patching the valkey executable is to block access to limit the output buffer limit, with
client-output-buffer-limit normal <hard limit> <soft limit> <soft seconds>.Credit
The problem was reported by Tiezhen Zhang([email protected]) and Hanyang Jin([email protected]).