CVE-2025-46818: 
Redis vulnerability analysis and mitigation

Redis versions 8.2.1 and below contain a vulnerability (CVE-2025-46818) that allows an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The vulnerability affects all versions of Redis with LUA scripting support and was fixed in version 8.2.2, released on October 3, 2025 (Redis Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) by NVD with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. GitHub assigned it a CVSS score of 6.0 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and involves the manipulation of Lua objects that can lead to privilege escalation between Redis users (NVD, GitHub Advisory).

The vulnerability allows authenticated users to execute code in the context of other users, potentially leading to unauthorized access to data and privilege escalation within Redis instances. This could compromise the confidentiality and integrity of data stored in affected Redis deployments (Security Online).

The vulnerability has been fixed in Redis version 8.2.2. For systems that cannot be immediately updated, a workaround is available by preventing users from executing Lua scripts. This can be implemented using Access Control Lists (ACL) to block script execution by restricting both the EVAL and FUNCTION command families (NVD, GitHub Advisory).