A recent security audit of Redis 7.4.5 uncovered three severe flaws in the embedded Lua interpreter.
CVE-2025-49844 and CVE-2025-46817 permit remote code execution via a use-after-free in the parser and an integer overflow in the unpack() API.
CVE-2025-46818 allows attackers to escalate privileges by modifying basic type metatables. PoC exploits demonstrate real-world impact, confirming that unpatched instances are highly vulnerable.
CVE Details Table
| CVE Identifier | Description | Location | Impact | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-49844 | Use-after-free in Lua parser | deps/lua/src/lparser.c:387 | Remote code execution | 9.8 |
| CVE-2025-46817 | Integer overflow in unpack() | deps/lua/src/lbaselib.c | Stack corruption → RCE | 9.8 |
| CVE-2025-46818 | Metatable privilege escalation | src/script_lua.c, src/eval.c | Privilege escalation | 8.2 |
CVE-2025-49844 arises in the luaY_parser function where TString Objects are created but not protected on the Lua stack.
When garbage collection triggers during parsing, dangling references lead to memory corruption.
The patched version pushes the new TString onto the stack to prevent premature collection.
CVE-2025-46817 affects the unpack() base library function. It computes element counts n = e - i + 1 without bounds checking.
Crafted arguments produce integer overflows that corrupt the Lua VM stack, enabling arbitrary code execution when the overflowed size governs memory operations.
CVE-2025-46818 exploits the fact that core type metatables for strings, numbers, booleans, and nil are mutable by default.
An attacker executing an untrusted script via EVAL can replace metamethods in these tables, injecting code that executes in other users’ contexts or escalates privileges.
The fix marks these core metatables as read-only, causing modification attempts to be rejected.
A comprehensive Python PoC includes tests for all three issues.
It stresses the Lua VM with extreme memory pressure to trigger the parser UAF, crafts unpack() calls with out-of-range bounds to detect overflow, and attempts metatable modifications for each basic type.
Successful exploit attempts crash or subvert the server, while patched servers reject dangerous operations.
The discovery of these vulnerabilities underscores the risks inherent in embedding scripting engines without rigorous sandboxing and memory safety checks.
Remote code execution and privilege escalation exploits are publicly available and fully functional against Redis 7.4.5.
Administrators should upgrade to the patched versions containing the commits 5785f3e6e, d5728cb57, 72be22dff, and 61e56c1a7 or later.
Until patches are applied, disabling the Lua engine or restricting EVAL access is strongly recommended to mitigate the critical attack surface.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA’s Diamond Membership: Join Today
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=A recent security audit of Redis 7.4.5 uncovered three severe flaws in the embedded Lua interpreter.){kind=link}