Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
An attacker with access to an account (even with low privileges) can send a specially crafted Lua script that manipulates garbage collector behavior. This results in a use-after-free error (CWE-416) — a reference to already freed memory. A properly prepared exploit can allow takeover of the server process execution flow and execution of arbitrary code.
An attacker can achieve remote code execution (RCE) on the database server, potentially gaining full control over the host. Data leakage and modification of stored data are direct consequences of a successful attack.
Redis should be updated to version 8.2.2, where the bug has been fixed. If immediate patching is not possible, a workaround can be applied: restrict users' ability to execute Lua scripts by using ACL lists — block EVAL and EVALSHA commands. For Valkey, patches from the vendor should be applied according to the references.
Redis versions 8.2.1 and lower (all versions with Lua scripting support enabled); Valkey (LFProjects) — versions indicated in the vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HLfprojects Valkey
APPLfprojects< 7.2.118.0.0 – 8.0.6 (bez)8.1.0 – 8.1.4 (bez)Redis
APPRedis8.0.0 – 8.0.4 (bez)< 6.2.208.2.0 – 8.2.2 (bez)7.0 – 7.2.11 (bez)7.4.0 – 7.4.6 (bez)
Related vulnerabilities
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debia...
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow do...
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does ...
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious use...
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious act...