Cyber Resilience

CVE-2025-46819

Medium

Published: 03 October 2025

Published
03 October 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0783 92.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46819 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Redis Redis. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Redis is an open source in-memory database that supports Lua scripting. CVE-2025-46819 affects all versions up to and including 8.2.1 and stems from insufficient bounds checking when processing specially crafted Lua scripts. The flaw, tracked under CWE-190 and CWE-125, permits an authenticated user to trigger an out-of-bounds read or an integer overflow that can crash the server.

An attacker with a local account and the ability to execute Lua scripts can supply a malicious script via the EVAL or FUNCTION command families. Successful exploitation yields either disclosure of adjacent memory contents or a denial-of-service condition that terminates the Redis process; the CVSS 6.3 vector reflects local access, high attack complexity, and low privileges.

The official fix is included in Redis 8.2.2. The project advisory and release notes also describe a non-patch workaround that uses ACL rules to revoke the EVAL and FUNCTION command families from untrusted users, thereby preventing Lua script execution without modifying the server binary. The associated EPSS scores remain low (current 0.0783, peak 0.0934) with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The…

more

problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables authenticated users to craft Lua scripts for out-of-bounds memory reads (facilitating unauthorized data collection from the Redis database, T1213.006) or server crashes (enabling endpoint DoS via application exploitation, T1499.004).

Affected Assets

redis
redis
≤ 6.2.20 · 7.0 — 7.2.11 · 7.4.0 — 7.4.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References