cbcvebase.
CVE-2024-31449
published 2024-10-07

CVE-2024-31449: Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.49%
90.3th percentile
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianredict< redict 7.3.1+ds-1 (forky)redict 7.3.1+ds-1 (forky)
debianredis< redict 7.3.1+ds-1 (forky)redict 7.3.1+ds-1 (forky)
debianvalkey< redict 7.3.1+ds-1 (forky)redict 7.3.1+ds-1 (forky)
lfprojectsvalkey>= 0 < 8.0.1+dfsg1-18.0.1+dfsg1-1
lfprojectsvalkey>= 0 < 8.0.1+dfsg1-18.0.1+dfsg1-1
msrcazl3_valkey_8.0.0-2_on_azure_linux_3.0
msrcazl3_valkey_8.0.1-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_redis_6.2.14-2_on_cbl_mariner_2.0
msrccbl2_redis_6.2.14-3_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
redisredis
redisredis
redisredis
redisredis
redisredis>= 0 < 5:7.0.15-1~deb12u25:7.0.15-1~deb12u2
redisredis>= 0 < 5:7.0.15-25:7.0.15-2
redisredis>= 0 < 5:7.0.15-25:7.0.15-2
redisredis>= 2.8.18 < 6.2.166.2.16
redisredis>= 7.2.0 < 7.2.67.2.6

Detection & IOCsextracted from sources · hover to see the quote

port6379
snort
alert tcp any any -> $HOME_NET 6379 (msg:"ET HUNTING Redis Authenticated Remote Code Execution in bit Library (CVE-2024-31449)"; flow:established,to_server; content:"|2a 33 0d 0a|"; startswith; content:"eval|0d 0a|"; nocase; content:"bit"; content:"|2e|tohex|28|"; fast_pattern; reference:url,redrays.io/blog/redis-cve-2024-31449-how-to-reproduce-and-mitigate-the-vulnerability/; reference:cve,2024-31449; classtype:attempted-admin; sid:2057707; rev:1; metadata:affected_product Redis, attack_target Server, created_at 2024_11_19, cve CVE_2024_31449, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|2a 33 0d 0a|
bytes
|2e|tohex|28|
  • Detect exploit attempts by monitoring TCP traffic to Redis port 6379 for RESP3-framed EVAL commands containing 'bit' and the byte sequence for '.tohex(' — indicative of the malicious Lua bit library invocation.
  • The vulnerability is triggered via a specially crafted Lua script using the bit library; monitor Redis EVAL/EVALSHA commands from authenticated sessions for anomalous bit library usage.
  • MITRE mapping: TA0001 / T1190 (Exploit Public-Facing Application) — treat inbound Redis EVAL traffic from untrusted sources as high-risk.
  • ·The vulnerability exists in ALL versions of Redis that include Lua scripting support; there are no known workarounds — the only remediation is upgrading to Redis 6.2.16, 7.2.6, or 7.4.1.
  • ·Red Hat confirmed no available mitigation meets their deployment/ease-of-use criteria; affected packages include quay/quay-rhel8 (Red Hat Quay 3) while valkey on RHEL 9/10 is not affected.
  • ·On Ubuntu, the fix for CVE-2024-31449 was delivered via the lua-bitop package on Ubuntu 20.04 LTS and 22.04 LTS, and via the redis package on Ubuntu 16.04 LTS, 18.04 LTS, and 24.04 LTS — ensure the correct package is patched for your Ubuntu release.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.