I aim to acknowledge within 72 hours and fix critical issues within 30 days.
| Caveat | Why |
|---|---|
| No authentication | Anyone who can open a TCP connection to the port can read+write+flush. Bind to localhost or place behind a network policy. |
| No TLS | RESP traffic is plaintext. For production-ish use, terminate TLS in front (e.g. stunnel, envoy). |
FLUSHALL accepts no auth and no confirmation |
One connection can wipe everything. By design — matches real Redis behavior when requirepass is disabled. |
| Memory accounting is approximate | estimateSize() is a heuristic per type. Adversarial input could find inputs whose actual heap impact exceeds the estimate. Don't expose to untrusted clients. |
- A way to crash the server via malformed RESP input.
- A pattern in
KEYSthat triggers catastrophic regex backtracking. - A SET payload that causes unbounded memory growth past
maxMemoryBytes. - A way to bypass expiration (read a key after its TTL has elapsed).
- "No auth" — see caveat table; add it as a feature PR.
- "No TLS" — pair with a TLS terminator.
- Vulnerabilities in Netty, Logback — report upstream.