Cyber Resilience

CVE-2024-46981

HighPublic PoC

Published: 06 January 2025

Published
06 January 2025
Modified
05 September 2025
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8073 99.2th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46981 is a high-severity Use After Free (CWE-416) vulnerability in Redis Redis. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).

Deeper analysis

Redis is an open source in-memory database that persists on disk. CVE-2024-46981 is a use-after-free issue (CWE-416) in its Lua scripting subsystem. An authenticated user who can execute Lua can supply a crafted script that interferes with the garbage collector, potentially resulting in remote code execution. The flaw affects all versions prior to the patches released in 7.4.2, 7.2.7, and 6.2.17.

An attacker with an existing authenticated session on the Redis instance can exploit the vulnerability by sending a malicious EVAL or EVALSHA command. Successful exploitation grants the attacker the ability to execute arbitrary code on the server with the privileges of the redis process. The CVSS 7.0 score reflects the local attack vector, high complexity, and high impact on confidentiality, integrity, and availability.

The official Redis advisories and release notes state that the issue is resolved in the three versions listed above. As a workaround without upgrading the server binary, administrators can use ACL rules to deny the EVAL and EVALSHA commands to untrusted users, thereby blocking Lua script execution entirely. The EPSS score has remained flat at 0.8073 with no material increase since disclosure.

EU & UK References

Vulnerability details

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7,…

more

and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Use-after-free in Redis Lua script handling directly enables RCE via crafted EVAL/EVALSHA commands after authentication, mapping to exploitation of a public-facing database application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23479Same product: Redis Redis
CVE-2026-23631Same product: Redis Redis
CVE-2025-49844Same product: Redis Redis
CVE-2025-68670Same product: Debian Debian Linux
CVE-2025-0838Same product: Debian Debian Linux
CVE-2025-63651Shared CWE-416
CVE-2026-31972Shared CWE-416
CVE-2025-70968Shared CWE-416
CVE-2026-0794Shared CWE-416
CVE-2026-32942Shared CWE-416

Affected Assets

redis
redis
6.2.0 — 6.2.17 · 7.2.0 — 7.2.7 · 7.4.0 — 7.4.2
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in Redis garbage collector by applying vendor patches in versions 7.4.2, 7.2.7, and 6.2.17, preventing RCE via crafted Lua scripts.

prevent

Enforces least privilege using Redis ACL to restrict EVAL and EVALSHA commands to only necessary users, blocking low-privilege authenticated exploitation as recommended in the workaround.

prevent

Prohibits unnecessary system functionality by disabling or restricting Lua script execution capabilities, mitigating the attack surface for garbage collector manipulation.

References