Out-of-Bound Data Access in Redis In-Memory Database
CVE-2025-46819

6.3MEDIUM

Key Information:

Vendor

Redis

Status
Redis
Vendor
CVE Published:
3 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-46819?

Redis, an open-source in-memory database, is affected by a vulnerability where an authenticated user can leverage specially crafted Lua scripts to read out-of-bound data, potentially resulting in server crashes and subsequent denial of service. This vulnerability affects all versions of Redis that support Lua scripting. The issue is patched in version 8.2.2. Users can mitigate this risk by preventing unauthorized execution of Lua scripts through Access Control Lists (ACLs), effectively restricting both the EVAL and FUNCTION command families.

Affected Version(s)

redis < 8.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-46819
Created by dwisiswant0

References

https://github.com/redis/redis/security/advisories/GHSA-4...
x_refsource_CONFIRM
https://github.com/redis/redis/commit/3a1624da2449ac3dbfc...
x_refsource_MISC
https://github.com/redis/redis/releases/tag/8.2.2
x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-46819 : Out-of-Bound Data Access in Redis In-Memory Database