CVE-2025-46817
Published: 03 October 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-46817 is an integer overflow vulnerability (CWE-190) in the Lua scripting functionality of Redis, an open-source in-memory database that persists on disk. It affects all versions of Redis with Lua scripting support, specifically versions 8.2.1 and below. An authenticated user can submit a specially crafted Lua script that triggers the overflow, potentially leading to remote code execution. The vulnerability has a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
The attack requires an authenticated user with low privileges (PR:L) and local access (AV:L) to the Redis instance, along with high attack complexity (AC:H). Exploitation involves executing a malicious Lua script on the server, which can result in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) through potential remote code execution.
Redis addresses this issue in version 8.2.2, as detailed in the official release notes, security advisory (GHSA-m8fj-85cg-7vhp), and the fixing commit (fc9abc775e308374f667fdf3e723ef4b7eb0e3ca). Security practitioners should upgrade to Redis 8.2.2 or later to mitigate the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in Redis Lua scripting enables authenticated low-privilege exploitation via crafted Lua script causing integer overflow for RCE, directly facilitating T1210 (Exploitation of Remote Services), T1059.011 (Lua), and T1068 (Exploitation for Privilege Escalation).