Out-of-Bound Data Access in Redis In-Memory Database
CVE-2025-46819

6.3MEDIUM

Key Information:

Vendor

Redis

Status
Redis
Vendor
CVE Published:
3 October 2025

What is CVE-2025-46819?

Redis, an open-source in-memory database, is affected by a vulnerability where an authenticated user can leverage specially crafted Lua scripts to read out-of-bound data, potentially resulting in server crashes and subsequent denial of service. This vulnerability affects all versions of Redis that support Lua scripting. The issue is patched in version 8.2.2. Users can mitigate this risk by preventing unauthorized execution of Lua scripts through Access Control Lists (ACLs), effectively restricting both the EVAL and FUNCTION command families.

Affected Version(s)

redis < 8.2.2

References

https://github.com/redis/redis/security/advisories/GHSA-4...
x_refsource_CONFIRM
https://github.com/redis/redis/commit/3a1624da2449ac3dbfc...
x_refsource_MISC
https://github.com/redis/redis/releases/tag/8.2.2
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-46819 : Out-of-Bound Data Access in Redis In-Memory Database