cbcvebase.
CVE-2024-46981
published 2025-01-06

CVE-2024-46981: Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.80%
93.9th percentile
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianredict< redict 7.3.2+ds-1 (forky)redict 7.3.2+ds-1 (forky)
debianredis< redict 7.3.2+ds-1 (forky)redict 7.3.2+ds-1 (forky)
debianvalkey< redict 7.3.2+ds-1 (forky)redict 7.3.2+ds-1 (forky)
lfprojectsvalkey>= 0 < 8.0.2+dfsg1-18.0.2+dfsg1-1
lfprojectsvalkey>= 0 < 8.0.2+dfsg1-18.0.2+dfsg1-1
lfprojectsvalkey>= 0 < 7.2.8+dfsg1-0ubuntu0.24.04.27.2.8+dfsg1-0ubuntu0.24.04.2
msrcazl3_valkey_8.0.1-1_on_azure_linux_3.0
msrcazl3_valkey_8.0.2-1_on_azure_linux_3.0
msrccbl2_redis_6.2.16-1_on_cbl_mariner_2.0
msrccbl2_redis_6.2.17-1_on_cbl_mariner_2.0
redisredis< 6.2.176.2.17
redisredis
redisredis
redisredis>= 0 < 5:6.0.16-1+deb11u55:6.0.16-1+deb11u5
redisredis>= 0 < 5:7.0.15-1~deb12u35:7.0.15-1~deb12u3
redisredis>= 0 < 5:7.0.15-35:7.0.15-3
redisredis>= 0 < 5:7.0.15-35:7.0.15-3
redisredis>= 0 < 5:7.0.15-1ubuntu0.24.04.15:7.0.15-1ubuntu0.24.04.1
redisredis>= 0 < 2:2.8.4-2ubuntu0.2+esm42:2.8.4-2ubuntu0.2+esm4
redisredis>= 0 < 2:3.0.6-1ubuntu0.4+esm32:3.0.6-1ubuntu0.4+esm3
redisredis>= 0 < 5:4.0.9-1ubuntu0.2+esm55:4.0.9-1ubuntu0.2+esm5
redisredis>= 0 < 5:5.0.7-2ubuntu0.1+esm35:5.0.7-2ubuntu0.1+esm3
redisredis>= 0 < 5:6.0.16-1ubuntu1+esm25:6.0.16-1ubuntu1+esm2
redisredis>= 6.2.0 < 6.2.176.2.17

Detection & IOCsextracted from sources · hover to see the quote

  • Restrict or monitor use of EVAL and EVALSHA Redis commands via ACL — these are the attack surface for CVE-2024-46981 Lua garbage collector manipulation leading to RCE
  • Any authenticated Redis user executing specially crafted Lua scripts should be treated as suspicious; monitor for anomalous EVAL/EVALSHA invocations, especially those manipulating garbage collection primitives
  • The vulnerability exists in all Redis versions with Lua scripting enabled; audit environments for unpatched Redis instances (pre-7.4.2, pre-7.2.7, pre-6.2.17) with Lua scripting accessible to users
  • ·Fixed versions are 7.4.2, 7.2.7, and 6.2.17; any Redis deployment below these versions with Lua scripting enabled is vulnerable
  • ·Workaround without patching: use Redis ACL to block EVAL and EVALSHA commands for all non-administrative users
  • ·Exploitation does not require direct access to the server binary, making it feasible via legitimate but malicious Redis commands from any authenticated session
  • ·Valkey (Redis fork) is also affected by this vulnerability and requires patching

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
vendor_ubuntu7.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.