Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN669
_____________________________________________________________________

DATE                : 07/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running redis-server.

=====================================================================
https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q
https://github.com/redis/redis/security/advisories/GHSA-m8fj-85cg-7vhp
https://github.com/redis/redis/security/advisories/GHSA-4c68-q8q8-3g4f
https://github.com/redis/redis/security/advisories/GHSA-qrv7-wcrx-q5jp
_____________________________________________________________________

Lua Use-After-Free may lead to remote code execution
Critical
YaacovHazan published GHSA-4789-qfc9-5f9q Oct 3, 2025

Package
redis-server

Affected versions
All

Patched versions
6.2.20, 7.2.11, 7.4.6, 8.0.4, 8.2.2


Description

Impact

An authenticated user may use a specially crafted Lua script to
manipulate the garbage collector, trigger a use-after-free and
potentially lead to remote code execution.

The problem exists in all versions of Redis with Lua scripting.


Workarounds

An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing
Lua scripts. This can be done using ACL to restrict EVAL and
EVALSHA commands.


Credit

The problem was reported by Wiz researchers Benny Isaacs
(@benny_isaacs), Nir Brakha, Sagi Tzadik (@sagitz_) working with
Trend Micro, Zero Day Initiative


Severity
Critical
10.0/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID
CVE-2025-49844

Weaknesses
Weakness CWE-416


Credits

    @zdi-disclosures zdi-disclosures Analyst

_____________________________________________________________________


Lua library commands may lead to integer overflow and potential RCE
High
YaacovHazan published GHSA-m8fj-85cg-7vhp Oct 3, 2025

Package
redis-server

Affected versions
All

Patched versions
TBD


Description

Impact

An authenticated user may use a specially crafted Lua script to cause
an integer overflow and potentially lead to remote code execution

The problem exists in all versions of Redis with Lua scripting.


Workarounds

An additional workaround to mitigate the problem without patching the
redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to block a script by restricting
both the EVAL and FUNCTION command families.


Credit

The problem was reported by zhutyra


Severity
High
7.0/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2025-46817

Weaknesses
Weakness CWE-190 

_____________________________________________________________________


Out of bound read due to a bug in LUA
Moderate
YaacovHazan published GHSA-4c68-q8q8-3g4f Oct 3, 2025

Package
redis-server

Affected versions
All

Patched versions
TBD


Description

Impact

An authenticated user may use a specially crafted LUA script to read
out-of-bound data or crash the server and subsequent denial of
service.

The problem exists in all versions of Redis with Lua scripting


Workarounds

An additional workaround to mitigate the problem without patching the
redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to block a script by restricting
both the EVAL and FUNCTION command families.


Credit

The problem was reported by zhutyra


Severity
Moderate
6.3/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE ID
CVE-2025-46819

Weaknesses
Weakness CWE-190

_____________________________________________________________________

Running Lua function as a different user
Moderate
YaacovHazan published GHSA-qrv7-wcrx-q5jp Oct 3, 2025

Package
redis-server

Affected versions
All

Patched versions
TBD


Description

Impact

An authenticated user may use a specially crafted Lua script to
manipulate different LUA objects and potentially run their own
code in the context of another user

The problem exists in all versions of Redis with Lua scripting.


Workarounds

An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to block a script by
restricting both the EVAL and FUNCTION command families.


Credit

The problem was reported by zhutyra


Severity
Moderate
6.0/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

CVE ID
CVE-2025-46818

Weaknesses
Weakness CWE-94 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================