Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-46981

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Published

2025-01-06T22:15:09.360

Last Modified

2025-09-05T14:20:13.647

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.0 (HIGH)

Weaknesses

Type: Secondary
CWE-416

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redis	redis	< 6.2.17	Yes
Application	redis	redis	< 7.2.7	Yes
Application	redis	redis	< 7.4.2	Yes
Operating System	debian	debian_linux	11.0	Yes

References

https://github.com/redis/redis/releases/tag/6.2.17 Release Notes ([email protected])
https://github.com/redis/redis/releases/tag/7.2.7 Release Notes ([email protected])
https://github.com/redis/redis/releases/tag/7.4.2 Release Notes ([email protected])
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2025/01/msg00018.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.vicarius.io/vsociety/posts/cve-2024-46981-detect-redis-vulnerability Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.vicarius.io/vsociety/posts/cve-2024-46981-mitigate-redis-vulnerability Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)