Redis CVE-2025-46817 Integer Overflow: Brief Summary and Technical Review

A brief summary of CVE-2025-46817 affecting Redis versions 8.2.1 and below, where authenticated users can exploit Lua scripting to trigger an integer overflow and potentially achieve remote code execution. Includes technical details, affected versions, vendor security history, and references.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-03

Redis CVE-2025-46817 Integer Overflow: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote code execution through a database scripting engine is a scenario with direct, high-impact consequences for any environment relying on Redis. Organizations using Redis for real-time analytics, caching, or session management need to know that authenticated users can exploit a flaw in Lua script handling to potentially compromise the entire server process. Redis is a leading open source in-memory database, deployed globally in millions of production environments and supported by Redis Ltd. The project powers critical infrastructure for web applications, analytics platforms, and distributed systems.

Technical Information

CVE-2025-46817 is caused by insufficient input validation and boundary checking in the Lua scripting environment of Redis. Specifically, authenticated users can submit specially crafted Lua scripts using commands such as EVAL or EVALSHA. By manipulating integer operations within these scripts, attackers can trigger an integer overflow condition (CWE-190).

The vulnerability is present in all Redis versions with Lua scripting support up to and including 8.2.1. The root cause is improper handling of integer arithmetic during Lua script execution. When a script provides input values that exceed the bounds of the underlying data types, the resulting overflow can corrupt memory structures. This can potentially lead to remote code execution within the context of the Redis server process. No public code snippets or exploit samples are available for this issue.

Affected Systems and Versions

  • Redis Open Source and commercial distributions with Lua scripting support
  • All versions up to and including 8.2.1
  • Fixed in version 8.2.2
  • Vulnerable configurations include any deployment where authenticated users can execute Lua scripts via EVAL, EVALSHA, or similar commands

Vendor Security History

Redis Ltd. has addressed multiple Lua scripting vulnerabilities in recent years, including:

  • CVE-2022-24735 (Lua script execution environment privilege escalation)
  • CVE-2025-49844 (Lua use-after-free with potential remote code execution)

The vendor typically releases patches for high-severity issues within weeks of disclosure. However, the recurrence of Lua-related flaws highlights ongoing architectural challenges with integrating scripting into the Redis core.

References

Detect & fix
what others miss