CVE-2025-46819 Overview
CVE-2025-46819 is a high-severity vulnerability affecting Redis, the popular open-source, in-memory database that persists on disk. This vulnerability allows an authenticated user to craft a specially designed Lua script that can read out-of-bounds data from memory or crash the Redis server, resulting in a denial of service condition. The vulnerability exists in all versions of Redis that support Lua scripting, with versions 8.2.1 and below confirmed as affected.
Critical Impact
Authenticated attackers can exploit this vulnerability to read sensitive data from memory or crash Redis servers, causing service disruption and potential information disclosure.
Affected Products
- Redis versions 8.2.1 and below
- All Redis versions with Lua scripting enabled
- Redis deployments allowing authenticated users to execute EVAL or FUNCTION commands
Discovery Timeline
- 2025-10-03 - CVE-2025-46819 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2025-46819
Vulnerability Analysis
This vulnerability stems from improper memory access handling within Redis's Lua scripting engine. When processing specially crafted Lua scripts, the Lua lexer fails to properly initialize the token structure, leading to out-of-bounds read operations (CWE-125) caused by an integer overflow condition (CWE-190). The flaw allows authenticated users to potentially read sensitive data residing in adjacent memory regions or trigger server crashes through memory access violations.
The vulnerability requires local access and authenticated user privileges to exploit. An attacker with the ability to execute Lua scripts via the EVAL or FUNCTION command families can craft malicious scripts that trigger the vulnerable code path in the Lua lexer component.
Root Cause
The root cause of CVE-2025-46819 lies in uninitialized memory within the luaX_setinput function in the Lua lexer (deps/lua/src/llex.c). The token structure was not being initialized before use, allowing the lexer to operate on uninitialized or stale data, which could lead to out-of-bounds memory access during script parsing.
Attack Vector
The attack vector requires an authenticated user with permissions to execute Lua scripts. The attacker must craft a malicious Lua script designed to trigger the vulnerable code path in the lexer. Upon execution via the EVAL or FUNCTION commands, the script causes the Redis server to either read memory outside its intended boundaries or crash entirely.
// Security patch from deps/lua/src/llex.c
// Source: https://github.com/redis/redis/commit/3a1624da2449ac3dbfc4bdaed43adf77a0b7bfba
void luaX_setinput (lua_State *L, LexState *ls, ZIO *z, TString *source) {
+ ls->t.token = 0;
ls->decpoint = '.';
ls->L = L;
ls->lookahead.token = TK_EOS; /* no look-ahead token */
The fix initializes ls->t.token to 0 before the lexer begins processing, preventing the use of uninitialized memory values.
Detection Methods for CVE-2025-46819
Indicators of Compromise
- Unexpected Redis server crashes or restarts without clear operational cause
- Unusual EVAL or FUNCTION command patterns from authenticated users
- Memory access violations or segmentation faults in Redis logs
- Abnormal Lua script execution patterns or unusually complex scripts
Detection Strategies
- Monitor Redis command logs for suspicious EVAL and FUNCTION command usage
- Implement alerting on Redis server crashes or unexpected process terminations
- Review authentication logs for users executing Lua scripts with unusual frequency
- Deploy application-level monitoring to detect out-of-bounds memory access attempts
Monitoring Recommendations
- Enable Redis slow log and command logging to track Lua script executions
- Configure system-level monitoring for Redis process stability and crash events
- Implement network monitoring to detect unauthorized access attempts to Redis instances
- Set up automated alerts for any Redis ACL violations related to script execution
How to Mitigate CVE-2025-46819
Immediate Actions Required
- Upgrade Redis to version 8.2.2 or later immediately
- Audit user accounts with Lua scripting privileges and remove unnecessary access
- Implement ACL restrictions to block EVAL and FUNCTION commands for non-essential users
- Monitor Redis instances for signs of exploitation attempts
Patch Information
Redis has released version 8.2.2 which addresses this vulnerability. The fix involves properly initializing the token structure in the Lua lexer before processing scripts. The patch is available through the GitHub Redis Release 8.2.2. Additional technical details are available in the GitHub Security Advisory GHSA-4c68-q8q8-3g4f.
Workarounds
- Use Redis ACL to restrict EVAL and FUNCTION command access to trusted users only
- Disable Lua scripting entirely if not required for your application
- Implement network segmentation to limit access to Redis instances
- Apply the principle of least privilege to all Redis user accounts
# Redis ACL configuration to block Lua script execution
# Add to redis.conf or apply via ACL SETUSER command
# Disable EVAL and FUNCTION commands for default user
ACL SETUSER default -EVAL -EVALSHA -FUNCTION
# Create restricted user without script execution rights
ACL SETUSER restricted_user on >password ~* +@all -@scripting
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
