CVE-2025-46817

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
7 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
redis
bullseye
vulnerable
bullseye (security)
vulnerable
bookworm
vulnerable
bookworm (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Common Weakness Enumeration
References
https://github.com/redis/redis/commit/fc9abc775e308374f667fdf3e723ef4b7eb0e3ca
https://github.com/redis/redis/releases/tag/8.2.2
https://github.com/redis/redis/security/advisories/GHSA-m8fj-85cg-7vhp