Full Report
Introduction Redis is an open-source, in-memory data store widely used as a cache, message broker, and high-performance NoSQL database. It offers rich data structures like strings, hashes, lists, sets, sorted sets, bitmaps, HyperLogLogs, and streams, backed by atomic operations and very low latency. Persistence is available via RDB snapshots and AOF, and high availability is […] The post Redis 8.2.2: Hardening the Lua Engine Against Four Critical Vulnerabilities appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Vulnerability: Four Critical Vulnerabilities in Redis Lua Engine (Affecting Memory Safety and Isolation)
## CVE Details
- **CVE ID:** CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49844
- **CVSS Score:** 10.0 (Critical) for CVE-2025-49844; 9.8 (Critical) for CVE-2025-46817; 7.3 (High) for CVE-2025-46818; 7.1 (High) for CVE-2025-46819
- **CWE:** (Not explicitly specified for all, related to improper input validation, memory corruption, and sandbox escape)
## Affected Systems
- **Products:** Redis (specifically the embedded Lua engine)
- **Versions:** Prior to Redis 8.2.2
- **Configurations:** Any deployment allowing untrusted users to run arbitrary Lua scripts is at severe risk, especially for RCE/sandbox escape scenarios.
## Vulnerability Description
Redis version 8.2.2 addresses four distinct vulnerabilities primarily located within the embedded Lua scripting engine:
1. **CVE-2025-49844 (Use-After-Free):** A critical flaw where a crafted Lua script can manipulate garbage collection and parsing mechanisms to trigger a Use-After-Free (UAF) bug. This UAF can potentially allow an attacker to escape the Lua scripting sandbox and execute arbitrary code on the host system.
2. **CVE-2025-46817 (Integer Overflow):** In the `unpack(tbl, i, j)` function, extremely large values for arguments $i$ or $j$ can cause an integer overflow when calculating the number of return values. This broken count bypasses internal stack checks, leading to potential crashes or memory corruption, serving as a potential primitive for exploitation.
3. **CVE-2025-46818 (Cross-User Script Execution):** Caused by loose controls around metatables and environment-related APIs. This allowed a script running under one user's context to unintentionally influence the execution of scripts running under another user's context, weakening isolation.
4. **CVE-2025-46819 (Out-of-Bounds Read):** Brittle handling of long-string and long-comment delimiters (e.g., `[=[ ... ]=]`) within the Lua lexer could cause the lexer to read past the end of its allocated buffer, leading to denial of service (crashes) and potential memory disclosure in edge cases.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild, but high CVSS scores (up to 10.0) indicate high exploitability potential. PoCs exist for internal analysis related to the fixes.
- **Complexity:** Likely **Medium** to **High** depending on the specific CVE, with CVE-2025-49844 potentially simplifying sandbox escape.
- **Attack Vector:** Primarily **Network** (via authenticated access to run Lua scripts).
## Impact
- **Confidentiality:** High (Potential local memory disclosure via OOB read or RCE payload).
- **Integrity:** Critical (Potential arbitrary code execution via UAF, leading to full system compromise).
- **Availability:** High (Denial of service via crashes from integer overflow or OOB read).
## Remediation
### Patches
- Upgrade immediately to **Redis version 8.2.2** or later, which contains fixes applied to the embedded Lua engine addressing all four reported CVEs.
- *Note: The fix for CVE-2025-46817 involved switching count calculation to safe unsigned math and ensuring stack checks occur before value pushing.*
### Workarounds
- If immediate upgrade is impossible, restrict execution of Lua scripts to only highly trusted users.
- If possible, disable Lua scripting entirely for deployments handling untrusted input, although this severely impacts functionality.
## Detection
- **Indicators of Compromise:** Unusual crashes related to Lua processing, unexpected script execution behavior, or resource exhaustion coinciding with script execution.
- **Detection methods and tools:** Monitor Redis logs for errors related to Lua execution failures, stack overflows, or unexpected termination sequences. Utilize runtime security tools capable of tracing system calls made by the Redis process if RCE is suspected.
## References
- Vendor Advisory (Inferred): Redis Security Release Notes for 8.2.2
- Commit Reference for CVE-2025-46817 fix (Internal reference only): fc9abc775e308374f667fdf3e723ef4b7eb0e3ca