cbcvebase.
CVE-2025-46818
published 2025-10-03

CVE-2025-46818: Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script…

PriorityP348high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
EXPLOIT
EPSS
0.70%
48.5th percentile
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
debianredict< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
debianredis< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
debianvalkey< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
lfprojectsvalkey>= 0 < 8.1.1+dfsg1-3+deb13u18.1.1+dfsg1-3+deb13u1
lfprojectsvalkey>= 0 < 8.1.4+dfsg1-18.1.4+dfsg1-1
lfprojectsvalkey>= 0 < 7.2.11+dfsg1-0ubuntu0.27.2.11+dfsg1-0ubuntu0.2
lfprojectsvalkey>= 0 < 8.1.4+dfsg1-0ubuntu0.28.1.4+dfsg1-0ubuntu0.2
msrcazl3_kernel_6.6.47.1-1_on_azure_linux_3.0
msrcazl3_kernel_6.6.51.1-5_on_azure_linux_3.0
msrcazl3_valkey_8.0.4-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_kernel_5.15.164.1-1_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.167.1-1_on_cbl_mariner_2.0
msrccbl2_redis_6.2.20-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
redisredis< 8.2.28.2.2
redisredis< 6.2.206.2.20
redisredis>= 0 < 5:7.0.15-1~deb12u65:7.0.15-1~deb12u6
redisredis>= 0 < 5:8.0.2-3+deb13u15:8.0.2-3+deb13u1
redisredis>= 0 < 5:8.0.4-15:8.0.4-1
redisredis>= 7.0 < 7.2.117.2.11
redisredis>= 7.4.0 < 7.4.67.4.6
redisredis>= 8.0.0 < 8.0.48.0.4

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_msrc7.8HIGH
vendor_ubuntu7.0HIGH
vendor_debian6.0MEDIUM
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.