A newly disclosed Redis Lua use-after-free vulnerability may allow remote code execution in Redis versions 8.2.1 and below, posing a serious security risk for users running unpatched instances.
Description
Redis is an open-source, in-memory database that persists data on disk. Versions 8.2.1 and earlier allow an authenticated user to execute a specially crafted Lua script that manipulates the garbage collector. This can trigger a use-after-free condition and potentially lead to remote code execution.
The issue affects all Redis versions that include Lua scripting. The vulnerability has been fixed in Redis 8.2.2, released on October 3, 2025.
Workaround
Administrators who cannot immediately upgrade can mitigate the risk by preventing Lua script execution. This can be done using Redis Access Control Lists (ACL) to restrict the EVAL and EVALSHA commands.
Technical Details
- Severity: Critical
- CVSS Score: 10.0
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- CWE: CWE-416 (Use After Free)
- Affected Versions: All versions below 8.2.2
Recommended Action
Users should update to Redis version 8.2.2 as soon as possible to ensure protection against this vulnerability. The Redis Lua use-after-free vulnerability underscores how memory management flaws in scripting engines can quickly escalate into critical remote code execution risks if left unpatched.