Description
Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing response desynchronization in connection-pool clients. This vulnerability is fixed in 1.39.9.
Published: 2026-06-26
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an authenticated Dragonfly user to inject arbitrary RESP messages into a connection’s response stream via a Lua function in the EvalSerializer. The injection can desynchronize the client, causing erroneous replies or stale data for connection-pool clients. The impact is limited to disrupting communication and destabilizing application logic, and does not provide remote code execution or data exfiltration. The weakness appears as a CWE‑116 related bug involving improper encoding.

Affected Systems

The weakness applies to DragonflyDB Dragonfly versions older than 1.39.9. All installations of the Dragonfly in-memory data store that use the affected Lua‑based EvalSerializer are at risk.

Risk and Exploitability

The CVSS score for this vulnerability is 2.3, indicating low severity. EPSS is not available and the issue has not been listed in CISA’s KEV catalog, further suggesting a modest likelihood of exploitation in the wild. The exploit requires authentication with a user that has permission to run Lua scripts. Because the flaw only causes desynchronization rather than privilege escalation, the overall risk to the system is considered low and mitigable by applying the available patch.

Generated by OpenCVE AI on June 26, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dragonfly to version 1.39.9 or later to remove the vulnerable EvalSerializer
  • Limit or revoke the ability for authenticated users to execute arbitrary Lua scripts if that capability is unnecessary
  • Review and adjust connection‑pooling usage; if possible, isolate pools or enable fail‑over to mitigate desynchronization
  • Implement monitoring for unexpected RESP responses to detect potential injection attempts early

Generated by OpenCVE AI on June 26, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Dragonflydb
Dragonflydb dragonfly
Vendors & Products Dragonflydb
Dragonflydb dragonfly

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing response desynchronization in connection-pool clients. This vulnerability is fixed in 1.39.9.
Title Dragonfly: RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Dragonflydb Dragonfly
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T17:31:48.061Z

Reserved: 2026-05-18T22:25:21.257Z

Link: CVE-2026-47206

cve-icon Vulnrichment

Updated: 2026-06-26T17:31:32.956Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:00:08Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output