Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-46819 PoC — Redis is vulnerable to DoS via specially crafted LUA scripts

Source
https://github.com/dwisiswant0/CVE-2025-46819
Associated Vulnerability
Title:Redis is vulnerable to DoS via specially crafted LUA scripts (CVE-2025-46819)
Description:Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Description
CVE-2025-46819 – Redis Lua Long-String Delimiter Out-of-Bounds Read
Readme
# CVE-2025-46819 – Redis Lua Long-String Delimiter Out-of-Bounds Read

Malformed long-string delimiter causing Lua lexer OOBs read on Redis 8.2.1.

## Overview

Lua's long-string parser in Redis 8.2.1 mishandles malformed `[=...` sequences, returning sentinel values that lead to buffer underflows or excessive recursion. Attackers can cause Redis to read out of bounds or overflow the C stack.

## Environment

- Redis server 8.2.1 (or any vulnerable release before 8.2.2)
- `redis-cli`
- Local network access to the Redis instance

## Files

- [`CVE-2025-46819.lua`](/CVE-2025-46819.lua) – constructs a huge malformed delimiter and feeds it to `loadstring`.

## Usage

```bash
redis-cli -h localhost -p 6379 --eval CVE-2025-46819.lua
```

**Expected result:**

On vulnerable versions you'll typically see "ERR C stack overflow" or an immediate crash. Redis 8.2.2 (commit [3a1624da2449ac3dbfc4bdaed43adf77a0b7bfba](https://github.com/redis/redis/commit/3a1624da2449ac3dbfc4bdaed43adf77a0b7bfba)) rejects the script with "invalid long string delimiter" without destabilizing the server.

## Mitigation

Upgrade to Redis 8.2.2 or later, or disable Lua for untrusted users.
File Snapshot

 [4.0K]  /data/pocs/e264ec48ece2c2dd554e0b94d405882503c276d1
├── [1.1K]  CVE-2025-46819.lua
└── [1.1K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →