CVE-2024-46981
Published: 06 January 2025
Summary
CVE-2024-46981 is a high-severity Use After Free (CWE-416) vulnerability in Redis Redis. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Deeper analysis
Redis is an open source in-memory database that persists on disk. CVE-2024-46981 is a use-after-free issue (CWE-416) in its Lua scripting subsystem. An authenticated user who can execute Lua can supply a crafted script that interferes with the garbage collector, potentially resulting in remote code execution. The flaw affects all versions prior to the patches released in 7.4.2, 7.2.7, and 6.2.17.
An attacker with an existing authenticated session on the Redis instance can exploit the vulnerability by sending a malicious EVAL or EVALSHA command. Successful exploitation grants the attacker the ability to execute arbitrary code on the server with the privileges of the redis process. The CVSS 7.0 score reflects the local attack vector, high complexity, and high impact on confidentiality, integrity, and availability.
The official Redis advisories and release notes state that the issue is resolved in the three versions listed above. As a workaround without upgrading the server binary, administrators can use ACL rules to deny the EVAL and EVALSHA commands to untrusted users, thereby blocking Lua script execution entirely. The EPSS score has remained flat at 0.8073 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42220
Vulnerability details
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7,…
more
and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Redis Lua script handling directly enables RCE via crafted EVAL/EVALSHA commands after authentication, mapping to exploitation of a public-facing database application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability in Redis garbage collector by applying vendor patches in versions 7.4.2, 7.2.7, and 6.2.17, preventing RCE via crafted Lua scripts.
Enforces least privilege using Redis ACL to restrict EVAL and EVALSHA commands to only necessary users, blocking low-privilege authenticated exploitation as recommended in the workaround.
Prohibits unnecessary system functionality by disabling or restricting Lua script execution capabilities, mitigating the attack surface for garbage collector manipulation.