Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN678 _____________________________________________________________________ DATE : 09/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Valkey versions prior to 7.2.11, 8.0.6, 8.1.4. ===================================================================== https://github.com/valkey-io/valkey/security/advisories/GHSA-9rfg-jx7v-52p6 _____________________________________________________________________ Lua Use-After-Free may lead to remote code execution High madolson published GHSA-9rfg-jx7v-52p6 Oct 3, 2025 Package Valkey Affected versions 7.2.10 and below, 8.0.5 and below, 8.1.3 and below Patched versions 7.2.11 and above, 8.0.6 and above, 8.1.4 and above Description Impact An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Valkey. Workarounds An additional workaround to mitigate the problem without patching the valkey-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. Credit The problem was reported by Wiz researchers Benny Isaacs (@benny_isaacs), Nir Brakha, Sagi Tzadik (@sagitz_) working with Trend Micro, Zero Day Initiative Severity High 8.8/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2025-49844 Weaknesses No CWEs ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================