Redis 8.0 Branch Lacks CVE-2025-62507 Stack Overflow Fix — 148 Commits Behind Default

A security audit has identified a critical patch gap in Redis's long-term support infrastructure. The upstream fix for CVE-2025-62507 — a stack overflow vulnerability in the XACKDEL command triggered when message IDs exceed the STREAMID_STATIC_VECTOR_LEN threshold — has not been backported to the 8.0 stable branch, leaving deployments on that line potentially exposed to a known, patched flaw.

The vulnerability was addressed on Redis's default branch via commit 5f83972188f6e5b1d6f1940218c650a9cbdf7741, titled "Fix XACKDEL stack overflow when IDs exceed STREAMID_STATIC_LEN." However, a branch comparison shows the 8.0 line sitting 148 commits ahead of that fix, with no evidence of a cherry-pick or equivalent patch in the commit history. The discrepancy was flagged in a GitHub issue directed at maintainers, requesting confirmation on whether the 8.0 branch is still under active security support or considered end-of-life.

The implications hinge on Redis's security maintenance policy for stable branches. If 8.0 is still receiving security updates, the missing backport represents a window of exposure for operators who rely on the LTS channel rather than tracking default. Security-conscious deployments may face pressure to either upgrade to a newer branch or implement temporary mitigations — neither of which is ideal for production environments seeking predictable patch cycles. The researcher who surfaced the gap has offered to open a backport pull request, which could accelerate remediation if maintainers confirm 8.0 is within scope.