CVE-2024-46981
published 2025-01-06CVE-2024-46981: Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.80%
93.9th percentile
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | redict | < redict 7.3.2+ds-1 (forky) | redict 7.3.2+ds-1 (forky) |
| debian | redis | < redict 7.3.2+ds-1 (forky) | redict 7.3.2+ds-1 (forky) |
| debian | valkey | < redict 7.3.2+ds-1 (forky) | redict 7.3.2+ds-1 (forky) |
| lfprojects | valkey | >= 0 < 8.0.2+dfsg1-1 | 8.0.2+dfsg1-1 |
| lfprojects | valkey | >= 0 < 8.0.2+dfsg1-1 | 8.0.2+dfsg1-1 |
| lfprojects | valkey | >= 0 < 7.2.8+dfsg1-0ubuntu0.24.04.2 | 7.2.8+dfsg1-0ubuntu0.24.04.2 |
| msrc | azl3_valkey_8.0.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_valkey_8.0.2-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_redis_6.2.16-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_redis_6.2.17-1_on_cbl_mariner_2.0 | — | — |
| redis | redis | < 6.2.17 | 6.2.17 |
| redis | redis | — | — |
| redis | redis | — | — |
| redis | redis | >= 0 < 5:6.0.16-1+deb11u5 | 5:6.0.16-1+deb11u5 |
| redis | redis | >= 0 < 5:7.0.15-1~deb12u3 | 5:7.0.15-1~deb12u3 |
| redis | redis | >= 0 < 5:7.0.15-3 | 5:7.0.15-3 |
| redis | redis | >= 0 < 5:7.0.15-3 | 5:7.0.15-3 |
| redis | redis | >= 0 < 5:7.0.15-1ubuntu0.24.04.1 | 5:7.0.15-1ubuntu0.24.04.1 |
| redis | redis | >= 0 < 2:2.8.4-2ubuntu0.2+esm4 | 2:2.8.4-2ubuntu0.2+esm4 |
| redis | redis | >= 0 < 2:3.0.6-1ubuntu0.4+esm3 | 2:3.0.6-1ubuntu0.4+esm3 |
| redis | redis | >= 0 < 5:4.0.9-1ubuntu0.2+esm5 | 5:4.0.9-1ubuntu0.2+esm5 |
| redis | redis | >= 0 < 5:5.0.7-2ubuntu0.1+esm3 | 5:5.0.7-2ubuntu0.1+esm3 |
| redis | redis | >= 0 < 5:6.0.16-1ubuntu1+esm2 | 5:6.0.16-1ubuntu1+esm2 |
| redis | redis | >= 6.2.0 < 6.2.17 | 6.2.17 |
Detection & IOCsextracted from sources · hover to see the quote
- →Restrict or monitor use of EVAL and EVALSHA Redis commands via ACL — these are the attack surface for CVE-2024-46981 Lua garbage collector manipulation leading to RCE ↗
- →Any authenticated Redis user executing specially crafted Lua scripts should be treated as suspicious; monitor for anomalous EVAL/EVALSHA invocations, especially those manipulating garbage collection primitives ↗
- →The vulnerability exists in all Redis versions with Lua scripting enabled; audit environments for unpatched Redis instances (pre-7.4.2, pre-7.2.7, pre-6.2.17) with Lua scripting accessible to users ↗
- ·Fixed versions are 7.4.2, 7.2.7, and 6.2.17; any Redis deployment below these versions with Lua scripting enabled is vulnerable ↗
- ·Workaround without patching: use Redis ACL to block EVAL and EVALSHA commands for all non-administrative users ↗
- ·Exploitation does not require direct access to the server binary, making it feasible via legitimate but malicious Redis commands from any authenticated session ↗
- ·Valkey (Redis fork) is also affected by this vulnerability and requires patching ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
vendor_ubuntu7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Valkey vulnerabilities
vendor_ubuntu·2025-03-19·CVSS 7.0
CVE-2024-46981 [HIGH] Valkey vulnerabilities
Title: Valkey vulnerabilities
Summary: Several security issues were fixed in Valkey.
It was discovered that Valkey did not properly handle memory
cleanup. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-46981)
It was discovered that Valkey did not properly handle resource
access permissions. An authenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2024-51741)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Redis vulnerabilities
vendor_ubuntu·2025-03-05·CVSS 5.5
CVE-2024-46981 [MEDIUM] Redis vulnerabilities
Title: Redis vulnerabilities
Summary: Several security issues were fixed in Redis.
It was discovered that Redis incorrectly handled certain memory operations
during pattern matching. An attacker could possibly use this issue to cause
a denial of service. (CVE-2024-31228)
It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. (CVE-2024-46981)
It was discovered that Redis incorrectly handled some malformed ACL
selectors. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 24.10 and Ubuntu 24.04 LTS.
(CVE-2024-51741)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Redis' Lua library commands may lead to remote code execution
vendor_msrc·2025-01-14·CVSS 7.0
CVE-2024-46981 [HIGH] CWE-416 Redis' Lua library commands may lead to remote code execution
Redis' Lua library commands may lead to remote code execution
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: h
Red Hat
redis: Redis' Lua library commands may lead to remote code execution
vendor_redhat·2025-01-06·CVSS 7.0
CVE-2024-46981 [HIGH] CWE-416 redis: Redis' Lua library commands may lead to remote code execution
redis: Redis' Lua library commands may lead to remote code execution
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
A flaw was found in the Redis server. This flaw allows an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, potentially leading to remote code execution.
Statement: The problem exists in all versions of Redis with L
Debian
CVE-2024-46981: redict - Redis is an open source, in-memory database that persists on disk. An authentica...
vendor_debian·2024·CVSS 7.0
CVE-2024-46981 [HIGH] CVE-2024-46981: redict - Redis is an open source, in-memory database that persists on disk. An authentica...
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Scope: local
forky: resolved (fixed in 7.3.2+ds-1)
sid: resolved (fixed in 7.3.2+ds-1)
OSV
valkey vulnerabilities
osv·2025-03-19·CVSS 9.8
CVE-2024-46981 [CRITICAL] valkey vulnerabilities
valkey vulnerabilities
It was discovered that Valkey did not properly handle memory
cleanup. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-46981)
It was discovered that Valkey did not properly handle resource
access permissions. An authenticated attacker could possibly
use this issue to cause a denial of service. (CVE-2024-51741)
OSV
redis vulnerabilities
osv·2025-03-05·CVSS 6.5
CVE-2024-31228 [MEDIUM] redis vulnerabilities
redis vulnerabilities
It was discovered that Redis incorrectly handled certain memory operations
during pattern matching. An attacker could possibly use this issue to cause
a denial of service. (CVE-2024-31228)
It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. (CVE-2024-46981)
It was discovered that Redis incorrectly handled some malformed ACL
selectors. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 24.10 and Ubuntu 24.04 LTS.
(CVE-2024-51741)
OSV
CVE-2024-46981: Redis is an open source, in-memory database that persists on disk
osv·2025-01-06·CVSS 9.8
CVE-2024-46981 [CRITICAL] CVE-2024-46981: Redis is an open source, in-memory database that persists on disk
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
No detection rules found.
No public exploits indexed.
https://github.com/redis/redis/releases/tag/6.2.17https://github.com/redis/redis/releases/tag/7.2.7https://github.com/redis/redis/releases/tag/7.4.2https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4chttps://lists.debian.org/debian-lts-announce/2025/01/msg00018.htmlhttps://www.vicarius.io/vsociety/posts/cve-2024-46981-detect-redis-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2024-46981-mitigate-redis-vulnerability
2025-01-06
Published