Insecure Lua Scripting in Redis Database by Redis Labs
CVE-2025-46818

6MEDIUM

Key Information:

Vendor

Redis

Status
Redis
Vendor
CVE Published:
3 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-46818?

Redis, a popular in-memory database, is susceptible to a vulnerability that allows authenticated users to execute specially crafted Lua scripts. These scripts can manipulate Lua objects and potentially run arbitrary code under the context of a different user. This issue affects all Redis versions that support Lua scripting, posing a significant risk to database security. The vulnerability has been addressed in version 8.2.2, which is essential for securing your Redis installations. As a temporary workaround, users can restrict Lua script execution by utilizing Access Control Lists (ACLs) to block the EVAL and FUNCTION commands.

Affected Version(s)

redis < 8.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-46818
Created by dwisiswant0

References

https://github.com/redis/redis/security/advisories/GHSA-q...
x_refsource_CONFIRM
https://github.com/redis/redis/commit/45eac0262028c771b6f...
x_refsource_MISC
https://github.com/redis/redis/releases/tag/8.2.2
x_refsource_MISC

CVSS V3.1

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.