INFSA-2025:19237: redis security update
Information about definition
Identificator: INFSA-2025:19237
Type: security
Release date: 2025-11-05 16:38:54 UTC
Information about package
Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.
Vulnerabilities description
- CVE-2025-46817
Redis could allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
- CVE-2025-46818
Redis could allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.
- CVE-2025-46819
Redis could allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service.
- CVE-2025-49844
Redis could allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-46817
|
no information | 8.8 | no information |
|
NIST — CVE-2025-46818
|
no information | 6.0 | no information |
|
NIST — CVE-2025-46819
|
no information | 6.3 | no information |
|
NIST — CVE-2025-49844
|
no information | 8.8 | no information |
Updated packages
Preparing to download...