codis icon indicating copy to clipboard operation
codis copied to clipboard
verified publisher icon CodisLabs

Fix redis lua library vulnerabilities (CVE-2024-31449, CVE-2025-49844)

Open KIMDONGYEON00 opened this issue 2 months ago • 0 comments

CVE-2024-31449

Affected component/file: lua_bit.c CVE-2024-31449 was found in Redis, and the same behavior is reproduced in Dragonfly. A Lua stack overflow causes a crash. According to the Redis security advisory, this vulnerability can lead to RCE attacks.

CVE-2025-29844

Affected component/file: lparser.c Redis versions 6.2.6 and below are vulnerable to remote code execution via a specially crafted Lua script that manipulates the garbage collector to trigger use-after-free. Fixed in version 8.2.2. Workaround: Use ACL to restrict EVAL and EVALSHA commands. According to the Redis security advisory, this vulnerability can lead use-after-free and potentially lead to remote code execution.

KIMDONGYEON00 avatar Oct 20 '25 10:10 KIMDONGYEON00