Recent Vulnerabilities in Redis Server’s Lua Scripting Engin...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine/
• Blog Title: Recent Vulnerabilities in Redis Server’s Lua Scripting Engine
• Suggested Section: Pentesting Network -> Network Services -> Redis (add subsection: 'Redis Lua Scripting Engine: Sandbox Escapes & Memory Corruption - CVE-2025-49844/46817/46818')

🎯 Content Summary

Scope and affected components
Targets: Redis server’s embedded Lua scripting engine. Attack surface is network-exposed Redis with Lua enabled and an authenticated attacker. Vulnerable/patch levels: Redis versions lower than 8.2.2, 8.0.4, 7.4.6, 7.2.11, or 6.2.20.

CVE-2025-49844 — Use-After-Free in Lua parser (Critical, CVSS 9.9)
• Files/functions: lparser.c → luaY_parser.
• How it works: During parsing, the Redis Lua pars...

🔧 Technical Details

GC-timed UAF in Lua parser (CVE-2025-49844): Create memory pressure with string.rep(), then force collectgarbage('collect') while the Redis Lua parser is compiling a large source via loadstring(). The GC frees a TString still referenced by luaY_parser, yielding a controllable UAF that can crash Redis or enable native-code execution beyond the Lua sandbox.

Integer wrap in unpack (CVE-2025-46817): Supply extreme i/e indices so n = e - i + 1 overflows (e.g., -1, 2147483647). Lua then attempts to return far more values than the table contains, causing stack corruption and memory exhaustion—useful for denial of service and potential memory-corruption primitives.

Global metatable poisoning (CVE-2025-46818): Because basic-type metatables aren’t read-only, set entries like getmetatable('').__index to inje...

🤖 Agent Actions

Changes implemented.

What I updated

• File updated: src/network-services-pentesting/6379-pentesting-redis.md
• Added a new subsection under the existing “LUA sandbox bypass” section:
  • Title: Redis Lua Scripting Engine: Sandbox Escapes & Memory Corruption (CVE-2025-49844/46817/46818)
  • Content:
    • Technical exploitation notes and PoCs for:
      • CVE-2025-49844 (GC-timed Use-After-Free in luaY_parser)
      • CVE-2025-46817 (integer overflow in unpack → stack corruption/mem exhaustion)
      • CVE-2025-46818 (global metatable poisoning → cross-user sandbox priv-esc)
    • redis-cli EVAL one-liners to exercise the issues
    • Operational monitoring tips (MONITOR/SLOWLOG, EVAL/EVALSHA/FUNCTION)
    • Mitigations (patched versions, protected mode, AUTH, ACL restrictions on EVAL/EVALSHA/FUNCTION, egress restriction)
    • Cross-link to the general Lua sandbox bypass page
• Added a global “References” section at the bottom of the Redis page (before the banner), including:
  • OffSec blog post
  • NVD entries for the three CVEs
  • Wiz analysis for CVE-2025-49844
  • Public PoC repositories for each CVE

Why here

• The repository already has a Redis page (src/network-services-pentesting/6379-pentesting-redis.md) with a “LUA sandbox bypass” subsection. The new content fits as an expansion of these techniques, focusing on the 2025 Lua-engine vulnerabilities and exploitation patterns.

Research used

• Directly fetched and used: OffSec blog post and linked resources (NVD, Wiz analysis, PoC GitHub repos).

No new file creation was necessary.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Network -> Network Services -> Redis (add subsection: 'Redis Lua Scripting Engine: Sandbox Escapes & Memory Corruption - CVE-2025-49844/46817/46818')".

Repository Maintenance:

• MD Files Formatting: 901 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0