CVE-2024-46981 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-46981?

CVE-2024-46981 has a CVSS score of 7.0 (HIGH). This CVE describes a use-after-free vulnerability in Redis where an authenticated user can craft a malicious Lua script to manipulate the garbage collector, potentially leading to remote code execution. The vulnerability affects Redis versions before 6.2.17, 7.2.7, and 7.4.2. Organizations running vulnerable Redis instances with authenticated user access are at risk.

📋 TL;DR

This CVE describes a use-after-free vulnerability in Redis where an authenticated user can craft a malicious Lua script to manipulate the garbage collector, potentially leading to remote code execution. The vulnerability affects Redis versions before 6.2.17, 7.2.7, and 7.4.2. Organizations running vulnerable Redis instances with authenticated user access are at risk.

💻 Affected Systems

Products:

Redis

Versions: All versions before 6.2.17, 7.2.7, and 7.4.2

Operating Systems: All operating systems running Redis

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to Redis (not default in older versions but common in production). The vulnerability is in the Lua scripting engine.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with the privileges of the Redis process, potentially leading to complete system compromise, data theft, or lateral movement.

🟠

Likely Case

Denial of service through Redis process crashes or instability, with potential for limited code execution in constrained environments.

🟢

If Mitigated

No impact if proper access controls prevent Lua script execution or if the system is patched.

🌐 Internet-Facing: HIGH - Internet-facing Redis instances with authentication enabled are directly exploitable by attackers who obtain or guess credentials.

🏢 Internal Only: MEDIUM - Internal Redis instances are still vulnerable to authenticated users, including compromised accounts or insider threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and crafting of specific Lua scripts to trigger the use-after-free condition. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.17, 7.2.7, or 7.4.2

Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c

Restart Required: No

Instructions:

1. Identify your Redis version. 2. Upgrade to Redis 6.2.17, 7.2.7, or 7.4.2 using your package manager or from source. 3. Verify the upgrade was successful. No restart is required for hot patching in some configurations, but a restart ensures clean state.

🔧 Temporary Workarounds

Disable Lua Script Execution via ACL

all

Prevent users from executing EVAL and EVALSHA commands using Redis Access Control Lists (ACL).

ACL SETUSER <username> -@all +@read +@write -eval -evalsha

🧯 If You Can't Patch

Implement strict network segmentation to isolate Redis instances from untrusted networks.
Enforce strong authentication and limit user privileges to only necessary commands using ACLs.

🔍 How to Verify

Check if Vulnerable:

Check Redis version; if below 6.2.17, 7.2.7, or 7.4.2, it is vulnerable. Also verify if authenticated users can execute Lua scripts.

Check Version:

redis-cli --version or redis-server --version

Verify Fix Applied:

Confirm Redis version is 6.2.17, 7.2.7, or 7.4.2 or higher. Test that Lua script execution is blocked if workaround is applied.

📡 Detection & Monitoring

Log Indicators:

Unusual Lua script execution patterns, especially from unexpected users or IPs.
Redis process crashes or abnormal termination logs.

Network Indicators:

Multiple EVAL or EVALSHA commands from a single source in short timeframes.
Network traffic to Redis port 6379 from unauthorized sources.

SIEM Query:

source="redis" AND (command="EVAL" OR command="EVALSHA") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2024-46981

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 69.35% exploit probability (98.6th percentile)

Published: January 6, 2025

Last Updated: September 5, 2025

🔗 References

https://github.com/redis/redis/releases/tag/6.2.17 Release Notes
https://github.com/redis/redis/releases/tag/7.2.7 Release Notes
https://github.com/redis/redis/releases/tag/7.4.2 Release Notes
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00018.html Mailing List,Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2024-46981-detect-redis-vulnerability Exploit,Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2024-46981-mitigate-redis-vulnerability Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46981, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Redis by Redis

Redis by Redis

Redis by Redis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Lua Script Execution via ACL

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities