Primary

Context

Redis LUA Scripting Vulnerability Allowing Code Execution in Another User's Context

Vulnerability

Patched

A vulnerability in Redis versions through 8.2.1 allows authenticated users to execute crafted Lua scripts that can manipulate Lua objects and potentially execute code in the context of other users. This issue affects all Redis versions that support Lua scripting.

Impact

Exploitation of this vulnerability allows for unauthorized code execution in the context of another user.

Reproduction

To reproduce this vulnerability, an authenticated user can execute a Lua script that manipulates Lua objects and uses deprecated functions like 'setfenv' or 'newproxy' to run code in the context of another user.

Remediation

Users can upgrade to Redis version 8.2.2, which addresses this vulnerability. Alternatively, Lua script execution can be disabled using Access Control Lists (ACLs) to restrict the EVAL and FUNCTION command families.

Added: Oct 3, 2025, 7:39 PM

Updated: Oct 3, 2025, 7:39 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

5.0

exploitability

4.5

remediation

7.9

relevance

0.6

threat

4.9

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

5.0

exploitability

4.5

remediation

7.9

relevance

0.6

threat

4.9

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Redis LUA Scripting Vulnerability Allowing Code Execution in Another User's Context

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Redis

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating