CVE-2025-46818
Published: 03 October 2025
Summary
CVE-2025-46818 is a medium-severity Code Injection (CWE-94) vulnerability in Redis Redis. Its CVSS base score is 6.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 12.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Redis is an open source in-memory database that persists on disk. CVE-2025-46818 affects all versions through 8.2.1 that support Lua scripting and stems from insufficient isolation between Lua objects. An authenticated user can supply a crafted Lua script that manipulates these objects, enabling execution of attacker-controlled code in the security context of another user. The issue is tracked under CWE-94 and carries a CVSS 3.1 score of 6.0.
An attacker who already possesses an authenticated Redis session can therefore leverage the Lua environment to escalate privileges across user contexts without requiring additional network access or user interaction beyond the initial authentication.
The official fix is included in Redis 8.2.2. The project advisory and release notes also describe a workaround that uses ACL rules to block the EVAL and FUNCTION command families, thereby preventing any Lua script execution without modifying the server binary.
EPSS for the vulnerability rose from a low baseline to a peak of 0.0710 on 2026-02-23 before receding to the current value of 0.0324, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33201
Vulnerability details
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context…
more
of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables authenticated low-privilege users to inject specially crafted Lua scripts for code execution in another user's context, facilitating exploitation for privilege escalation (T1068), exploitation of remote services (T1210), and abuse of server software components like Lua scripting (T1505).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.