—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Redis 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Redis version 8.2.1 and prior

Overview

Multiple vulnerabilities have been reported in Redis which could allow a remote attacker to execute arbitrary code and gain elevated privileges on the targeted system.

Target Audience:

Individuals and end-user organizations using affected Redis.

Risk Assessment:

High risk of sensitive data disclosure, privilege escalation and system compromise.

Impact Assessment:

Potential for remote code execution and system compromise.

Description

Redis is an open-source, in-memory data structure store used as a high-performance database, cache, and message broker for applications needing rapid data access and processing.

These vulnerabilities exist in Redis due to an integer overflow in certain Lua library commands and an insufficient Lua sandbox which enables an attacker to execute Lua scripts in the context of another user.   A remote attacker could exploit these vulnerabilities by sending a specially crafted Lua script that manipulates Lua objects leading to remote code execution.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the targeted system.

Solution

Apply appropriate software updates as mentioned by the vendor:

https://redis.io/docs/latest/operate/oss_and_stack/stack-with-enterprise/release-notes/redisce/redisos-8.2-release-notes/

Vendor Information

Redis

https://redis.io/docs/latest/operate/oss_and_stack/stack-with-enterprise/release-notes/redisce/redisos-8.2-release-notes/

References

Redis

https://redis.io/docs/latest/operate/oss_and_stack/stack-with-enterprise/release-notes/redisce/redisos-8.2-release-notes/

Wiz

https://www.wiz.io/vulnerability-database/cve/cve-2025-46817

https://www.wiz.io/vulnerability-database/cve/cve-2025-46818

CVE Name

CVE-2025-46817

CVE-2025-46818

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjvnCcACgkQ3jCgcSdc

ys8eNRAAgDV3ZR/X8OwKHkSZuZX693C3aH+YbNu40by+xjrwHHS8qxKaZ7tMJVUZ

AMYDApQqmrkkBgnyH81lKXUDuKR31LoifvjLVHmfPKQMsNKfWddGhsS/fF68MDjA

F8PM9Zch3/CxUjrV6evTuy8uwrnUtX2n31Ab0MqLb7LhvMlHmQlGvrxEuNOlmFmD

Ie9DeMeXWYaziF659CDwnrmM4uJY/CNvOnHaW0DlUy3UIddA7lFMEKpP+YqBhJpU

ITtQxgvS5USpH/rOFeGt51VkvzzZxM0oD1vhQDCJXOIO5ewizR/MaDHDVr0t2OUp

M96nxJq6UL+Yau9BCYv/98CLlXqajE5ZOQDETypE5kZUFOKH5+H//mnbgCEfYRtC

riCNiUONoiLv51j9YS4ncFUtMZQ7ShGXUYWSGpYUJFBsL+JL8wUbwLC/PjVGnqck

bInY7PDwBhdWmj9BNrTeOGgBJreINd1qYA3EfWWXrM65L58yibwVDTngOW1IhSNz

JS3ib0BeueTWaXQtC/s5Bgyl1GsADqSBAK3CO0Z47qtweNhoteZ7lrZkPqSRglPw

+88zbld4c3Kn0zwPJVW6bTq4PFhHUY08hOXyeJ1FcSn3pdHSG5tORQx5nunQowe1

+JvT0x0rOjvTMJng1AO6TVMett3Mm9i6DST0H7OTd+p4yLo6lkg=

=/VvU

—–END PGP SIGNATURE—–