cbcvebase.
CVE-2025-46817
published 2025-10-03

CVE-2025-46817: Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.69%
88.3th percentile
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianredict< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
debianredis< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
debianvalkey< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
lfprojectsvalkey>= 0 < 8.1.1+dfsg1-3+deb13u18.1.1+dfsg1-3+deb13u1
lfprojectsvalkey>= 0 < 8.1.4+dfsg1-18.1.4+dfsg1-1
lfprojectsvalkey>= 0 < 7.2.11+dfsg1-0ubuntu0.27.2.11+dfsg1-0ubuntu0.2
lfprojectsvalkey>= 0 < 8.1.4+dfsg1-0ubuntu0.28.1.4+dfsg1-0ubuntu0.2
msrcazl3_ceph_18.2.2-11_on_azure_linux_3.0
msrcazl3_valkey_8.0.4-1_on_azure_linux_3.0
msrccbl2_ceph_16.2.10-9_on_cbl_mariner_2.0
msrccbl2_redis_6.2.18-3_on_cbl_mariner_2.0
msrccbl2_redis_6.2.20-1_on_cbl_mariner_2.0
redisredis< 8.2.28.2.2
redisredis< 6.2.206.2.20
redisredis>= 0 < 5:6.0.16-1+deb11u85:6.0.16-1+deb11u8
redisredis>= 0 < 5:7.0.15-1~deb12u65:7.0.15-1~deb12u6
redisredis>= 0 < 5:8.0.2-3+deb13u15:8.0.2-3+deb13u1
redisredis>= 0 < 5:8.0.4-15:8.0.4-1
redisredis>= 7.0 < 7.2.117.2.11
redisredis>= 7.4.0 < 7.4.67.4.6
redisredis>= 8.0.0 < 8.0.48.0.4
redisredis>= 8.2.0 < 8.2.28.2.2

Detection & IOCsextracted from sources · hover to see the quote

port6379
commandEVAL
commandEVALSHA
versionredis_version <= 8.2.1
  • Detect Redis instances running version 8.2.1 or below by extracting the redis_version field from the INFO server response.
  • Monitor for EVAL or EVALSHA commands submitted by authenticated clients to Redis on port 6379, as these are the attack vectors for triggering the integer overflow via crafted Lua scripts.
  • Use Shodan or network scanning to identify exposed Redis instances using the query: product:"redis"
  • Probe for Lua scripting availability by sending a benign EVAL payload and checking for a 'lua enabled' response string to confirm the attack surface is present.
  • ·Exploitation requires an authenticated client with permission to execute Lua scripts; unauthenticated network attackers cannot directly trigger this vulnerability.
  • ·No public proof-of-concept or known in-the-wild exploits were available as of initial advisories, reducing immediate operational risk despite theoretical RCE impact.
  • ·The Nuclei detection template checks two conditions: (1) Redis version <= 8.2.1 via INFO response, and (2) Lua scripting is enabled and responsive — both must be true for a positive detection.
  • ·For Schneider Electric Plant iT/Brewmaxx environments, disabling EVAL commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality is a recommended mitigation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
vendor_ubuntu7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.