Primary

Context

Redis Remote Code Execution Vulnerability via Lua Scripting Manipulation

Vulnerability

Patched

A critical remote code execution vulnerability has been identified in Redis versions 8.2.1 and prior. This issue allows an authenticated user to execute a specially crafted Lua script that manipulates the garbage collector, triggering a use-after-free condition. The vulnerability exists in all Redis versions that support Lua scripting.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the server where Redis is running.

Remediation

Users can upgrade to Redis version 8.2.2, which addresses this vulnerability. Alternatively, without patching the Redis server executable, Lua script execution can be disabled by using Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands.

Added: Oct 3, 2025, 8:19 PM

Updated: Oct 3, 2025, 8:19 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

10.0

exploitability

5.5

remediation

7.9

relevance

0.6

threat

3.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

10.0

exploitability

5.5

remediation

7.9

relevance

0.6

threat

3.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Redis Remote Code Execution Vulnerability via Lua Scripting Manipulation

Vulnerability

Impact

Remediation

Affected Products

Redis

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating