CVE-2025-46819
Published: 03 October 2025
Summary
CVE-2025-46819 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Redis Redis. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Redis is an open source in-memory database that supports Lua scripting. CVE-2025-46819 affects all versions up to and including 8.2.1 and stems from insufficient bounds checking when processing specially crafted Lua scripts. The flaw, tracked under CWE-190 and CWE-125, permits an authenticated user to trigger an out-of-bounds read or an integer overflow that can crash the server.
An attacker with a local account and the ability to execute Lua scripts can supply a malicious script via the EVAL or FUNCTION command families. Successful exploitation yields either disclosure of adjacent memory contents or a denial-of-service condition that terminates the Redis process; the CVSS 6.3 vector reflects local access, high attack complexity, and low privileges.
The official fix is included in Redis 8.2.2. The project advisory and release notes also describe a non-patch workaround that uses ACL rules to revoke the EVAL and FUNCTION command families from untrusted users, thereby preventing Lua script execution without modifying the server binary. The associated EPSS scores remain low (current 0.0783, peak 0.0934) with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33200
Vulnerability details
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The…
more
problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables authenticated users to craft Lua scripts for out-of-bounds memory reads (facilitating unauthorized data collection from the Redis database, T1213.006) or server crashes (enabling endpoint DoS via application exploitation, T1499.004).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.