cbcvebase.
CVE-2025-46819
published 2025-10-03

CVE-2025-46819: Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script…

PriorityP340high7.1CVSS 3.1
AVLACLPRLUINSUCHINAH
EXPLOIT
EPSS
1.02%
59.2th percentile
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
debianredict< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
debianredis< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
debianvalkey< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
lfprojectsvalkey>= 0 < 8.1.1+dfsg1-3+deb13u18.1.1+dfsg1-3+deb13u1
lfprojectsvalkey>= 0 < 8.1.4+dfsg1-18.1.4+dfsg1-1
lfprojectsvalkey>= 0 < 7.2.11+dfsg1-0ubuntu0.27.2.11+dfsg1-0ubuntu0.2
lfprojectsvalkey>= 0 < 8.1.4+dfsg1-0ubuntu0.28.1.4+dfsg1-0ubuntu0.2
msrcazl3_ceph_18.2.2-10_on_azure_linux_3.0
msrcazl3_kernel_6.6.47.1-1_on_azure_linux_3.0
msrcazl3_kernel_6.6.51.1-5_on_azure_linux_3.0
msrcazl3_valkey_8.0.4-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_ceph_16.2.10-9_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.164.1-1_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.167.1-1_on_cbl_mariner_2.0
msrccbl2_redis_6.2.18-3_on_cbl_mariner_2.0
msrccbl2_redis_6.2.20-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
redisredis< 8.2.28.2.2
redisredis< 6.2.206.2.20
redisredis>= 0 < 5:6.0.16-1+deb11u85:6.0.16-1+deb11u8
redisredis>= 0 < 5:7.0.15-1~deb12u65:7.0.15-1~deb12u6
redisredis>= 0 < 5:8.0.2-3+deb13u15:8.0.2-3+deb13u1

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
osv8.8HIGH
vendor_ubuntu7.0HIGH
vendor_debian6.3MEDIUM
vendor_msrc6.3MEDIUM
vendor_redhat6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.