CVE-2025-46818
Redis: Authenticated users can execute LUA scripts as a different user
Description
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
INFO
Published Date :
Oct. 3, 2025, 7:15 p.m.
Last Modified :
Oct. 10, 2025, 4:30 p.m.
Remotely Exploit :
No
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update Redis to version 8.2.2 or later.
- Restrict Lua script execution via ACL.
- Block EVAL and FUNCTION command families.
Public PoC/Exploit Available at Github
CVE-2025-46818 has a 2 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-46818.
| URL | Resource |
|---|---|
| https://github.com/redis/redis/commit/45eac0262028c771b6f5307372814b75f49f7a9e | Patch |
| https://github.com/redis/redis/releases/tag/8.2.2 | Release Notes |
| https://github.com/redis/redis/security/advisories/GHSA-qrv7-wcrx-q5jp | Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-46818 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-46818
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
CVE-2025-46818 – Redis Lua Sandbox Cross-User Escape
Lua
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-46818 vulnerability anywhere in the article.
-
CybersecurityNews
PoC Exploit Released for Critical Lua Engine Vulnerabilities
Three newly disclosed vulnerabilities have been identified in the Lua scripting engine of Redis 7.4.5, each presenting severe risks of remote code execution and privilege escalation. Redrays has relea ... Read more
-
Daily CyberSecurity
Critical Flaw CVE-2025-49844 (CVSS 10.0) Allows Remote Code Execution in Redis
Redis, the popular open-source in-memory data store widely used for real-time analytics, caching, and message brokering, has released multiple patches addressing four security vulnerabilities that cou ... Read more
The following table lists the changes that have been made to the
CVE-2025-46818 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Oct. 10, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:* versions up to (excluding) 8.2.2 Added Reference Type GitHub, Inc.: https://github.com/redis/redis/commit/45eac0262028c771b6f5307372814b75f49f7a9e Types: Patch Added Reference Type GitHub, Inc.: https://github.com/redis/redis/releases/tag/8.2.2 Types: Release Notes Added Reference Type GitHub, Inc.: https://github.com/redis/redis/security/advisories/GHSA-qrv7-wcrx-q5jp Types: Third Party Advisory -
New CVE Received by [email protected]
Oct. 03, 2025
Action Type Old Value New Value Added Description Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. Added CVSS V3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N Added CWE CWE-94 Added Reference https://github.com/redis/redis/commit/45eac0262028c771b6f5307372814b75f49f7a9e Added Reference https://github.com/redis/redis/releases/tag/8.2.2 Added Reference https://github.com/redis/redis/security/advisories/GHSA-qrv7-wcrx-q5jp