Cyber Resilience

CVE-2025-46818

Medium

Published: 03 October 2025

Published
03 October 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 6.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0324 87.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46818 is a medium-severity Code Injection (CWE-94) vulnerability in Redis Redis. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 12.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Redis is an open source in-memory database that persists on disk. CVE-2025-46818 affects all versions through 8.2.1 that support Lua scripting and stems from insufficient isolation between Lua objects. An authenticated user can supply a crafted Lua script that manipulates these objects, enabling execution of attacker-controlled code in the security context of another user. The issue is tracked under CWE-94 and carries a CVSS 3.1 score of 6.0.

An attacker who already possesses an authenticated Redis session can therefore leverage the Lua environment to escalate privileges across user contexts without requiring additional network access or user interaction beyond the initial authentication.

The official fix is included in Redis 8.2.2. The project advisory and release notes also describe a workaround that uses ACL rules to block the EVAL and FUNCTION command families, thereby preventing any Lua script execution without modifying the server binary.

EPSS for the vulnerability rose from a low baseline to a peak of 0.0710 on 2026-02-23 before receding to the current value of 0.0324, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context…

more

of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Why these techniques?

Vulnerability enables authenticated low-privilege users to inject specially crafted Lua scripts for code execution in another user's context, facilitating exploitation for privilege escalation (T1068), exploitation of remote services (T1210), and abuse of server software components like Lua scripting (T1505).

Affected Assets

redis
redis
≤ 6.2.20 · 7.0 — 7.2.11 · 7.4.0 — 7.4.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References