CVE-2024-46981
CVE Details
Visit the official vulnerability details page for CVE-2024-46981 to learn more.
Initial Publication
05/15/2025
Last Update
10/14/2025
Third Party Dependency
redis
NIST CVE Summary
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
CVE Severity
Our Official Summary
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack overflow in the bit library.
This vulnerability is reported on Redis components in third party images. The stack overflow vulnerability requires an authenticated user to execute a specially crafted Lua script, potentially leading to denial of service. This vulnerability only applies if you are using harbor as the registry in the palette or workload cluster.
The risk of exploitation is low from harbor deployment because Redis instance is configured with restricted access; Lua scripting functionality is disabled.
We will upgrade harbor when fixes become available from the upstream.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.23 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 09/15/2025 | Status changed from Open to Ongoing |
| 09/15/2025 | Official summary added |
| 09/06/2025 | Advisory assigned with CRITICAL severity |