CVE-2024-46981

moderate-risk

Published 2025-01-06

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Do I need to act?

75.7% chance of exploitation in next 30 days

EPSS score — higher than 24% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.0/10 High

LOCAL / HIGH complexity

Affected Products (2)

Redis

Debian Linux

Affected Vendors

Debian Redis

References (7)

Release Notes https://github.com/redis/redis/releases/tag/6.2.17

Release Notes https://github.com/redis/redis/releases/tag/7.2.7

Release Notes https://github.com/redis/redis/releases/tag/7.4.2

Vendor Advisory https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c

Mailing List https://lists.debian.org/debian-lts-announce/2025/01/msg00018.html

Exploit https://www.vicarius.io/vsociety/posts/cve-2024-46981-detect-redis-vulnerability

Exploit https://www.vicarius.io/vsociety/posts/cve-2024-46981-mitigate-redis-vulnerabili...

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 20/34 · Moderate

Exposure 7/34 · Low