CVE-2025-46819
low-risk
Published 2025-10-03
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Do I need to act?
~
5.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.3/10
Medium
LOCAL
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (5)
Release Notes
https://github.com/redis/redis/releases/tag/8.2.2
Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-4c68-q8q8-3g4f
Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-46819-detect-redis-vulnerability
29
/ 100
low-risk
Severity
16/34 · Moderate
Exploitability
8/34 · Low
Exposure
5/34 · Minimal