CVE-2025-46817

HIGH severity · CVSS 7 · Integer overflow

7CVSS HIGH

Summary

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

Impact & exploitability

Attack vectorLocal

Attack complexityHigh

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)11%

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Redis

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/redis/redis/commit/fc9abc775e308374f667fdf3e723ef4b7eb0e3ca ↗

Additional information

NVD record
https://github.com/redis/redis/commit/fc9abc775e308374f667fdf3e723ef4b7eb0e3caPatch
https://github.com/redis/redis/security/advisories/GHSA-m8fj-85cg-7vhpAdvisory
https://github.com/redis/redis/releases/tag/8.2.2