CVE-2025-46817 Overview
CVE-2025-46817 is an integer overflow vulnerability in Redis, the popular open-source in-memory database. The vulnerability exists in the Lua scripting engine embedded within Redis, where an authenticated user can craft a malicious Lua script that triggers an integer overflow condition. This overflow can potentially be exploited to achieve remote code execution on the affected Redis server.
The vulnerability affects all versions of Redis with Lua scripting support through version 8.2.1. Given Redis's widespread use as a caching layer, session store, and message broker in modern application architectures, this vulnerability poses a significant risk to organizations relying on Redis infrastructure.
Critical Impact
Authenticated attackers can exploit this integer overflow in Redis's Lua scripting engine to potentially achieve remote code execution, compromising the confidentiality, integrity, and availability of the Redis server and connected systems.
Affected Products
- Redis versions prior to 2.6.12
- Redis versions 7.0.0 through 7.4.3
- Redis versions 8.0.0 through 8.2.1
Discovery Timeline
- 2025-10-03 - CVE-2025-46817 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2025-46817
Vulnerability Analysis
This vulnerability resides in Redis's embedded Lua interpreter, specifically within the luaB_unpack function in lbaselib.c and the luaH_getnum function in ltable.c. The core issue stems from improper handling of integer arithmetic when calculating array sizes and indices, which can result in integer overflow conditions.
When processing specially crafted Lua scripts, the vulnerable code performs arithmetic operations on signed integers without adequate bounds checking. An attacker with authenticated access to execute Lua scripts can manipulate the unpack function parameters to trigger an integer overflow, potentially bypassing security checks and corrupting memory in ways that could lead to arbitrary code execution.
Root Cause
The root cause is an integer overflow vulnerability (CWE-190) in the Lua base library's unpack function. The original implementation calculated the number of elements to unpack using signed integer arithmetic: n = e - i + 1. When an attacker provides carefully chosen values for the start index i and end index e, this calculation can overflow, producing a negative or unexpectedly small value that bypasses the subsequent stack size check.
Attack Vector
The attack requires authenticated access to a Redis server with the ability to execute Lua scripts via the EVAL or EVALSHA commands. An attacker can craft a Lua script that calls the unpack function with specifically chosen parameters designed to trigger the integer overflow. The network-based attack vector combined with low attack complexity makes this vulnerability particularly concerning in environments where Redis is accessible to multiple users or services.
// Vulnerable code in deps/lua/src/lbaselib.c
static int luaB_unpack (lua_State *L) {
int i, e, n;
luaL_checktype(L, 1, LUA_TTABLE);
i = luaL_optint(L, 2, 1);
e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1));
if (i > e) return 0; /* empty range */
n = e - i + 1; /* number of elements - VULNERABLE TO OVERFLOW */
if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */
return luaL_error(L, "too many results to unpack");
// ...
}
Source: GitHub Redis Commit
The patch addresses this by changing the variable n to an unsigned integer and restructuring the arithmetic to prevent overflow:
// Patched code in deps/lua/src/lbaselib.c
static int luaB_unpack (lua_State *L) {
int i, e;
unsigned int n;
luaL_checktype(L, 1, LUA_TTABLE);
i = luaL_optint(L, 2, 1);
e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1));
if (i > e) return 0; /* empty range */
n = (unsigned int)e - (unsigned int)i; /* number of elements minus 1 */
if (n >= INT_MAX || !lua_checkstack(L, ++n))
return luaL_error(L, "too many results to unpack");
// ...
}
Source: GitHub Redis Commit
Detection Methods for CVE-2025-46817
Indicators of Compromise
- Unusual Lua script executions via EVAL or EVALSHA commands with abnormally large or negative index parameters
- Redis server crashes or unexpected restarts that may indicate exploitation attempts
- Memory corruption patterns or segmentation faults in Redis logs
- Anomalous unpack function calls in Lua scripts with extreme integer values
Detection Strategies
- Monitor Redis command logs for EVAL and EVALSHA commands, particularly those containing unpack function calls with suspicious parameters
- Implement network-level monitoring to detect unusual Redis traffic patterns or command sequences from authenticated sessions
- Deploy runtime application self-protection (RASP) solutions to detect integer overflow exploitation attempts
- Use Redis's slowlog feature to identify potentially malicious scripts with unusual execution characteristics
Monitoring Recommendations
- Enable Redis audit logging to capture all Lua script executions for forensic analysis
- Configure alerting for Redis server crashes or abnormal memory usage patterns
- Monitor for unusual authentication patterns that could indicate compromised credentials being used to exploit this vulnerability
- Implement rate limiting on Lua script execution to reduce the attack surface
How to Mitigate CVE-2025-46817
Immediate Actions Required
- Upgrade Redis to version 8.2.2 or later immediately on all affected systems
- Review and restrict which users and applications have authenticated access to execute Lua scripts on Redis servers
- Implement network segmentation to limit access to Redis instances from untrusted networks
- Audit existing Lua scripts for any suspicious patterns or unexpected unpack usage
Patch Information
Redis has released version 8.2.2 which contains the security fix for this vulnerability. The patch modifies the integer handling in both lbaselib.c and ltable.c to use unsigned integers and implement proper bounds checking. Organizations should apply the patch by upgrading to the latest Redis version. For detailed patch information, refer to the GitHub Security Advisory and the Redis 8.2.2 Release.
Workarounds
- Disable Lua scripting if not required by setting appropriate ACL rules to deny EVAL and EVALSHA commands
- Restrict authenticated access to Redis to only trusted internal services and applications
- Implement firewall rules to ensure Redis is not exposed to untrusted networks
- Use Redis ACLs to limit which users can execute Lua scripts
# Configuration example - Restrict Lua scripting via Redis ACL
# Create a restricted user without script execution permissions
redis-cli ACL SETUSER restricted_user on >password ~* +@all -@scripting
# Alternatively, disable dangerous commands in redis.conf
rename-command EVAL ""
rename-command EVALSHA ""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
