Recent discoveries have unveiled three critical vulnerabilities within the Lua scripting engine of Redis version 7.4.5. These flaws pose significant risks, including remote code execution and unauthorized privilege escalation. RedRays has released a comprehensive proof-of-concept (PoC) exploit, now publicly accessible, underscoring the urgency for organizations to address these issues promptly.
Detailed Examination of the Vulnerabilities:
1. Use-After-Free Flaw (CVE-2025-49844):
This vulnerability emerges from inadequate protection of TString objects during script parsing. Specifically, within the `luaY_parser` function, the Lua parser fails to safeguard newly created TStrings, rendering them vulnerable to premature garbage collection and subsequent use-after-free conditions. Attackers can exploit this flaw by strategically triggering garbage collection during parsing, potentially leading to remote code execution.
2. Integer Overflow Vulnerability (CVE-2025-46817):
The `unpack()` function in Lua miscalculates element counts, which can result in stack corruption when invoked with extreme range parameters. For instance, by manipulating arguments such as `unpack({1,2,3}, -2, 2147483647)`, attackers can bypass array boundaries and potentially execute arbitrary code.
3. Metatable Privilege Escalation Flaw (CVE-2025-46818):
This flaw permits the modification of fundamental metatables, including those for strings and numbers, due to their lack of proper read-only protection. By altering these metatables, malicious actors can inject logic that facilitates privilege escalation or code execution within the context of other users.
Proof-of-Concept Exploit:
RedRays has developed a robust Python-based PoC to validate the severity of these vulnerabilities. The PoC automates several critical tests:
– Use-After-Free Exploitation (CVE-2025-49844): Conducts aggressive heap and garbage collection stress tests to identify and exploit use-after-free conditions.
– Integer Overflow and Stack Corruption (CVE-2025-46817): Utilizes fuzzing techniques on the `unpack()` function to trigger integer overflows and subsequent stack corruption.
– Privilege Escalation via Metatable Manipulation (CVE-2025-46818): Demonstrates how crafted Lua scripts can manipulate basic type metatables to achieve privilege escalation.
The PoC connects to a target Redis instance and performs up to ten comprehensive tests, confirming the exploitability of the vulnerabilities and assessing whether appropriate patches have been applied. These technical evaluations employ custom Lua scripts sent via Redis EVAL commands, exposing vulnerable server states and providing evidence of crashes or unexpected outputs.
Severity Assessment:
The identified vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers and severity ratings:
– CVE-2025-49844: Use-After-Free in Lua Parser (`deps/lua/src/lparser.c:387`) – Critical
– CVE-2025-46817: Integer Overflow in `unpack()` (`deps/lua/src/lbaselib.c`) – Critical
– CVE-2025-46818: Metatable Privilege Escalation (`script_lua.c`, `eval.c`) – Critical
Mitigation Strategies:
Given the critical nature of these vulnerabilities, immediate action is imperative. Redis administrators are strongly advised to:
– Update to Patched Versions: Ensure that Redis instances are updated to versions that have addressed these vulnerabilities. This is particularly crucial for internet-facing or untrusted deployments where the risk of exploitation is heightened.
– Restrict EVAL Access: Limit the use of the EVAL command to trusted users and scripts. Since these vulnerabilities can be exploited through Lua scripts executed via EVAL, restricting its access can mitigate potential risks.
– Monitor and Audit: Regularly monitor Redis logs and audit configurations to detect any unauthorized or suspicious activities. Implementing intrusion detection systems can provide an additional layer of security.
– Implement Security Best Practices: Adhere to security best practices, such as using strong authentication mechanisms, encrypting data in transit, and regularly reviewing and updating security policies.
Conclusion:
The disclosure of these critical vulnerabilities within the Lua scripting engine of Redis 7.4.5 highlights the importance of proactive security measures. Organizations must prioritize the immediate application of patches and the implementation of robust security practices to safeguard their systems against potential exploits. Continuous vigilance and adherence to security protocols are essential in mitigating the risks associated with these vulnerabilities.
