Three newly disclosed vulnerabilities have been recognized within the Lua scripting engine of Redis 7.4.5, every presenting extreme dangers of distant code execution and privilege escalation.
Redrays has launched an in depth proof-of-concept (PoC) to take advantage of these vulnerabilities, which is now publicly out there. Organizations are urged to behave instantly.
Use-After-Free Flaw (CVE-2025-49844)
This vulnerability arises when TString objects will not be correctly protected throughout script parsing. Particularly, in luaY_parser, the Lua parser neglects to safeguard a newly created TString, making it inclined to untimely rubbish assortment and use-after-free circumstances:
The patched code protects the item on the stack earlier than parsing:
Attackers can exploit this problem for distant code execution by rigorously triggering rubbish assortment in the course of the parsing course of.
Integer Overflow Vulnerability (CVE-2025-46817)
The unpack() operate incorrectly calculates factor counts, enabling stack corruption when known as with excessive vary parameters.
By manipulating arguments equivalent to unpack({1,2,3}, -2, 2147483647), attackers might bypass array bounds and even execute arbitrary code.
Metatable Privilege Escalation Flaw (CVE-2025-46818)
This flaw permits modification of important metatables, like these for strings and numbers, as a result of they don’t seem to be correctly protected as read-only.
By altering metatables, a malicious actor could inject logic that performs privilege escalation or code execution within the context of different customers.
RedRays acknowledged {that a} strong Python-based PoC verifies the criticality of all three vulnerabilities. The PoC automates:
Aggressive heap and rubbish assortment stress assessments for use-after-free exploitation (CVE-2025-49844),
Fuzzing of the unpack() name to set off integer overflow and stack corruption (CVE-2025-46817),
Manipulation of fundamental sort metatables to show privilege escalation by way of crafted Lua scripts (CVE-2025-46818).
The code connects to a goal Redis occasion and runs as much as ten full-stack assessments, confirming exploitability and the presence or absence of correct patching.
These technical checks leverage customized Lua scripts despatched by way of Redis EVAL instructions, exposing susceptible server states and printing crash/output proof.
CVETitleSeverityCVE-2025-49844Use-After-Free in Lua Parser (deps/lua/src/lparser.c:387)CriticalCVE-2025-46817Integer Overflow in unpack() (deps/lua/src/lbaselib.c)CriticalCVE-2025-46818Metatable Privilege Escalation (script_lua.c, eval.c)Crucial
Mitigations
Redis directors should instantly replace to patched variations. These CVEs, confirmed by supply assessment and sensible exploitation, collectively develop the Redis assault floor, exposing manufacturing servers to real-world threats, particularly the place EVAL entry is obtainable.
Organizations working Redis 7.4.5 ought to deploy fixes at once, as attackers can exploit these flaws to attain full distant code execution and unauthorized privilege escalation.
Speedy patching is important for all internet-facing or untrusted Redis deployments.
Cyber Consciousness Month Provide: Upskill With 100+ Premium Cybersecurity Programs From EHA’s Diamond Membership: Be part of At this time
