CVE-2022-0543 – CVE-2022-0543 is a critical Lua sandbox escape ... (How to Fix)

📋 TL;DR

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that allows remote attackers to execute arbitrary code. The vulnerability affects Redis installations on Debian, Ubuntu, and other Debian-derived distributions due to a packaging issue. Attackers can exploit this without authentication to gain full control of affected Redis servers.

💻 Affected Systems

Products:

Redis

Versions: All versions running on affected Debian-based distributions

Operating Systems: Debian, Ubuntu, Kali Linux, and other Debian-derived distributions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Redis packages from Debian/Ubuntu repositories due to how Lua libraries are packaged. Source-compiled Redis or Redis from other package managers are not affected.

📦 What is this software?

Redis by Redis

View all CVEs affecting Redis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, lateral movement, and persistent backdoors.

🟠

Likely Case

Remote code execution allowing attackers to steal sensitive data, install cryptocurrency miners, or use the server as part of a botnet.

🟢

If Mitigated

Limited impact if Redis is properly firewalled, running in a container with limited privileges, and monitored for suspicious Lua script execution.

🌐 Internet-Facing: HIGH - Redis instances exposed to the internet are immediately vulnerable to remote exploitation without authentication.

🏢 Internal Only: MEDIUM - Internal Redis instances are still vulnerable to attackers who gain internal network access or through compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and trivial to execute. Attackers can send specially crafted Lua scripts via Redis EVAL command to escape the sandbox.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Redis packages with updated Lua library packages (lua5.1 5.1.5-8+deb11u2 for Debian 11, 5.1.5-7.1+deb10u2 for Debian 10)

Vendor Advisory: https://www.debian.org/security/2022/dsa-5081

Restart Required: Yes

Instructions:

1. Update system packages: sudo apt update && sudo apt upgrade
2. Specifically update Redis and Lua packages: sudo apt install --only-upgrade redis-server lua5.1
3. Restart Redis service: sudo systemctl restart redis-server

🔧 Temporary Workarounds

Disable Lua scripting

linux

Temporarily disable Lua script execution in Redis configuration

redis-cli config set lua-time-limit 0
Add 'lua-time-limit 0' to redis.conf and restart

Network isolation

linux

Restrict Redis to localhost or internal network only

Edit redis.conf: bind 127.0.0.1
Configure firewall: sudo ufw deny 6379/tcp

🧯 If You Can't Patch

Run Redis in a container with minimal privileges and no root access
Implement strict network access controls and monitor for Lua script execution attempts

🔍 How to Verify

Check if Vulnerable:

Check if Redis is running on Debian/Ubuntu: dpkg -l | grep redis-server && dpkg -l | grep lua5.1

Check Version:

redis-server --version && dpkg -l lua5.1

Verify Fix Applied:

Verify Lua package version: dpkg -l lua5.1 | grep 5.1.5-8+deb11u2 (for Debian 11) or appropriate patched version

📡 Detection & Monitoring

Log Indicators:

Unusual Lua script execution in Redis logs
Multiple failed Lua script attempts
EVAL commands from unexpected sources

Network Indicators:

EVAL commands containing 'package.loadlib' or 'os.execute'
Rapid Lua script execution attempts
Connections from unusual IPs to Redis port 6379

SIEM Query:

source="redis.log" AND "EVAL" AND ("package.loadlib" OR "os.execute" OR "io.popen")

📊 Metadata

CVE ID: CVE-2022-0543

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-862

Published: February 18, 2022

Last Updated: November 10, 2025

🔗 References

http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html Exploit,Third Party Advisory,VDB Entry
https://bugs.debian.org/1005787 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-security-announce/2022/msg00048.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0004/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5081 Mailing List,Third Party Advisory
https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce Third Party Advisory
http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html Exploit,Third Party Advisory,VDB Entry
https://bugs.debian.org/1005787 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-security-announce/2022/msg00048.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0004/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5081 Mailing List,Third Party Advisory
https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0543 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0543, you might also want to check these: