保護DataHogo
Security Encyclopedia/Database Connections
highCWE-306OWASP A07:2021

Redis Without Authentication

Your Redis instance has no password and is accessible beyond localhost, letting anyone who can reach it read all cached data, session tokens, and queue contents.

How It Works

Redis is often used for sessions, rate limiting, and job queues — all of which contain sensitive data. By default, Redis requires no authentication. If your Redis instance is bound to a non-localhost address without requirepass set, anyone on the network can connect with redis-cli and read or overwrite everything. Attackers also use Redis CONFIG SET to write web shells to the filesystem.

Vulnerable Code
// BAD: Redis connection without password, bound to non-localhost
const redis = new Redis({
  host: '0.0.0.0', // listens on all interfaces
  port: 6379
  // No password — anyone can connect
});
Secure Code
// GOOD: require authentication and bind to localhost or VPC IP only
const redis = new Redis({
  host: process.env.REDIS_HOST, // private VPC IP or 127.0.0.1
  port: 6379,
  password: process.env.REDIS_PASSWORD // requirepass in redis.conf
});

Real-World Example

Researchers have repeatedly demonstrated using unauthenticated Redis to achieve full server compromise: connect, run CONFIG SET dir /var/www/html, CONFIG SET dbfilename shell.php, then SET and SAVE to write a PHP webshell. This attack vector has been exploited in the wild numerous times.

How to Prevent It

  • Always set requirepass in redis.conf with a strong random password (32+ characters)
  • Bind Redis to 127.0.0.1 or your VPC private IP — never 0.0.0.0
  • Disable the CONFIG command in production if you don't need it: rename-command CONFIG '' in redis.conf
  • Use Redis 6+ ACL system to create users with minimal permissions per application
  • Never expose Redis port 6379 to the public internet — use VPC-internal access only

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021