CVE-2025-46819 – This vulnerability in Redis allows authenticate... (How to Fix)

Q: What is the severity of CVE-2025-46819?

CVE-2025-46819 has a CVSS score of 6.3 (MEDIUM). This vulnerability in Redis allows authenticated users to execute specially crafted LUA scripts that can read out-of-bounds memory or crash the server, causing denial of service. It affects all Redis versions with Lua scripting enabled, specifically versions 8.2.1 and below. Organizations running vulnerable Redis instances with authenticated user access are at risk.

📋 TL;DR

This vulnerability in Redis allows authenticated users to execute specially crafted LUA scripts that can read out-of-bounds memory or crash the server, causing denial of service. It affects all Redis versions with Lua scripting enabled, specifically versions 8.2.1 and below. Organizations running vulnerable Redis instances with authenticated user access are at risk.

💻 Affected Systems

Products:

Redis

Versions: All versions up to and including 8.2.1

Operating Systems: All operating systems running Redis

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Lua scripting capability and authenticated user access. Redis instances with default configurations that allow Lua script execution are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server crash leading to extended denial of service, potential memory disclosure of sensitive data, and system instability requiring manual intervention.

🟠

Likely Case

Server crashes causing temporary denial of service, requiring restart and potentially disrupting dependent applications.

🟢

If Mitigated

Minimal impact if Lua scripting is disabled or proper ACL restrictions are in place, with only authenticated users affected.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of crafting malicious LUA scripts. The vulnerability is in the Lua scripting engine implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.2

Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-4c68-q8q8-3g4f

Restart Required: Yes

Instructions:

1. Download Redis 8.2.2 or later from official sources. 2. Stop the Redis service. 3. Install the updated version. 4. Restart the Redis service. 5. Verify the version is 8.2.2 or higher.

🔧 Temporary Workarounds

Disable Lua Script Execution via ACL

all

Prevent users from executing Lua scripts by restricting EVAL and FUNCTION command families using Redis ACL.

ACL SETUSER <username> -@scripting
ACL SETUSER <username> -@function

🧯 If You Can't Patch

Implement strict ACL rules to block all users from executing Lua scripts using -@scripting and -@function
Monitor Redis logs for unusual LUA script execution patterns and implement network segmentation to limit access

🔍 How to Verify

Check if Vulnerable:

Check Redis version and verify if Lua scripting is enabled. Versions 8.2.1 and below with Lua enabled are vulnerable.

Check Version:

redis-cli --version

Verify Fix Applied:

Confirm Redis version is 8.2.2 or higher and test that Lua scripts execute without causing crashes or memory issues.

📡 Detection & Monitoring

Log Indicators:

Unusual LUA script execution patterns
Redis server crash logs
Memory access violation errors in Redis logs

Network Indicators:

Increased EVAL command usage from authenticated users
Unexpected server restarts

SIEM Query:

source="redis" AND (command="EVAL" OR command="FUNCTION") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-46819

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-190

EPSS Score: 5.94% exploit probability (90.4th percentile)

Published: October 3, 2025

Last Updated: January 27, 2026

🔗 References

https://github.com/redis/redis/commit/3a1624da2449ac3dbfc4bdaed43adf77a0b7bfba Patch
https://github.com/redis/redis/releases/tag/8.2.2 Release Notes
https://github.com/redis/redis/security/advisories/GHSA-4c68-q8q8-3g4f Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-46819-detect-redis-vulnerability Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-46819-mitigate-redis-vulnerability Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46819, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Redis by Redis

Redis by Redis

Redis by Redis

Redis by Redis

Redis by Redis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Lua Script Execution via ACL

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities