Multiple critical Lua script handling vulnerabilities in Redis (CVE-2025-49844 CVSS 9.9, CVE-2024-31449 CVSS 7.0, CVE-2022-24834 CVSS 7.0) allow remote attackers to cause denial of service or execute arbitrary code. Affected versions include Redis < 6.2.20, Redis 7.0 to < 7.2.11, Redis 7.4.0 to < 7.4.6, Redis 8.0.0 to < 8.0.4, and Redis 8.2.0 to < 8.2.2, among other specific version ranges. Remediation requires upgrading to fixed versions such as Redis 6.2.20, 7.2.11, 7.4.6, 8.0.4, or 8.2.2.
It was discovered that Redis incorrectly handled certain specially crafted Lua scripts. A remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue was only addressed in lua5.1 on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2025-49844) It was discovered that Redis incorrectly handled certain specially crafted Lua scripts. A remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue was only addressed in lua-bitop on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS and in redis on Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-31449) Seiya Nakata and Yudai Fujiwara discovered that Redis incorrectly handled certain specially crafted Lua scripts. An attacker could possibly use this issue to cause heap corruption and execute arbitrary code. This issue was only addressed in lua-cjson on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24834)