Introduction
Remote code execution through a database scripting engine is a scenario with direct, high-impact consequences for any environment relying on Redis. Organizations using Redis for real-time analytics, caching, or session management need to know that authenticated users can exploit a flaw in Lua script handling to potentially compromise the entire server process. Redis is a leading open source in-memory database, deployed globally in millions of production environments and supported by Redis Ltd. The project powers critical infrastructure for web applications, analytics platforms, and distributed systems.
Technical Information
CVE-2025-46817 is caused by insufficient input validation and boundary checking in the Lua scripting environment of Redis. Specifically, authenticated users can submit specially crafted Lua scripts using commands such as EVAL or EVALSHA. By manipulating integer operations within these scripts, attackers can trigger an integer overflow condition (CWE-190).
The vulnerability is present in all Redis versions with Lua scripting support up to and including 8.2.1. The root cause is improper handling of integer arithmetic during Lua script execution. When a script provides input values that exceed the bounds of the underlying data types, the resulting overflow can corrupt memory structures. This can potentially lead to remote code execution within the context of the Redis server process. No public code snippets or exploit samples are available for this issue.
Affected Systems and Versions
- Redis Open Source and commercial distributions with Lua scripting support
- All versions up to and including 8.2.1
- Fixed in version 8.2.2
- Vulnerable configurations include any deployment where authenticated users can execute Lua scripts via
EVAL,EVALSHA, or similar commands
Vendor Security History
Redis Ltd. has addressed multiple Lua scripting vulnerabilities in recent years, including:
- CVE-2022-24735 (Lua script execution environment privilege escalation)
- CVE-2025-49844 (Lua use-after-free with potential remote code execution)
The vendor typically releases patches for high-severity issues within weeks of disclosure. However, the recurrence of Lua-related flaws highlights ongoing architectural challenges with integrating scripting into the Redis core.
