Cyber Resilience

CVE-2024-31449

High

Published: 07 October 2024

Published
07 October 2024
Modified
04 September 2025
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6412 98.5th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31449 is a high-severity Improper Input Validation (CWE-20) vulnerability in Redis Redis. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Redis is an open source in-memory database that supports Lua scripting. CVE-2024-31449 is a stack buffer overflow vulnerability in the bit library that can be triggered by a specially crafted Lua script. The flaw, tracked under CWE-20 and CWE-121, affects all versions of Redis that include Lua scripting support and carries a CVSS 3.1 score of 7.0.

An authenticated user with the ability to execute Lua scripts can supply malicious input that overflows the stack buffer. Successful exploitation may result in remote code execution on the Redis server, although the attack requires local access, low privileges, and high complexity.

The official Redis security advisory and accompanying patches state that the issue has been resolved in versions 6.2.16, 7.2.6, and 7.4.1. No workarounds are available, and users are advised to upgrade promptly. The associated EPSS score currently stands at 0.6132 with a recorded peak of 0.6321.

EU & UK References

Vulnerability details

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The…

more

problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redis
redis
7.4.0 · 2.8.18 — 6.2.16 · 7.2.0 — 7.2.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References