CVE-2025-46819
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redis | redis | From 7.0.0 (inc) to 7.2.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Redis versions 8.2.1 and below allows an authenticated user to use a specially crafted LUA script to read data outside the intended boundaries or to crash the server, causing a denial of service. It affects all versions of Redis with Lua scripting enabled and is fixed in version 8.2.2. A workaround without patching is to prevent users from executing Lua scripts by restricting the EVAL and FUNCTION command families using ACL.
How can this vulnerability impact me? :
The vulnerability can allow an authenticated user to read out-of-bound data, potentially exposing sensitive information, or cause the Redis server to crash, resulting in denial of service and disruption of services relying on Redis.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately without patching, prevent users from executing Lua scripts by using ACL to block the EVAL and FUNCTION command families. Alternatively, upgrade Redis to version 8.2.2 or later where the issue is fixed.