CVE-2025-46817: 
Redis Analisi e mitigazione delle vulnerabilità

Redis versions 8.2.1 and below contain a critical vulnerability (CVE-2025-46817) that allows an authenticated user to exploit a specially crafted Lua script to cause an integer overflow, potentially leading to remote code execution. The vulnerability affects all Redis versions that include Lua scripting support, and has been fixed in version 8.2.2 (Redis Release, NVD).

The vulnerability stems from improper integer bounds checking in the Lua scripting engine's unpack() function. When processing scripts, extreme index values can be supplied to trigger an integer overflow condition that corrupts the Lua stack and potentially enables control flow hijacking. The vulnerability has received a CVSS v3.1 Base Score of 7.0 (High) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access is required but no user interaction is needed (GitHub Advisory, NVD).

If successfully exploited, this vulnerability could allow an authenticated attacker to execute arbitrary code within the Redis server's process context. This could potentially lead to complete system compromise, allowing access to or modification of stored data and enabling lateral movement across connected systems (GBHackers).

Organizations are advised to upgrade to Redis version 8.2.2 or later which contains the security fix. For systems that cannot be immediately updated, a temporary workaround is available by using Access Control Lists (ACLs) to block the EVAL and FUNCTION command families, effectively preventing users from executing Lua scripts (GitHub Advisory, Redis Release).