CVE-2025-46819
CVE Details
Visit the official vulnerability details page for CVE-2025-46819 to learn more.
Initial Publication
11/14/2025
Last Update
01/05/2026
Third Party Dependency
redis
NIST CVE Summary
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CVE Severity
Our Official Summary
CVE-2025-46819 is a vulnerability in Redis, the widely used open-source, in-memory database. The flaw exists in Redis’s Lua scripting functionality and can lead to out-of-bounds memory access or a server crash (denial of service) when processing specially crafted Lua scripts from an authenticated user. In Redis versions 8.2.1 and below, an authenticated user with permission to run Lua scripts can leverage a crafted script to read memory outside its intended bounds or cause the Redis server process to terminate unexpectedly. This results from inadequate handling of data in the Lua interpreter that Redis embeds.
There issue is reported on harbor registry pack if used within the kubernetes cluster. Exploitation of this issue would require access to the container and execution of code on the container. Container has safeguards in place to prevent code execution.
There is no upstream fix available to fix this vulnerability. Once available, it will be adopted.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.8.13 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.7.29 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 01/05/2026 | Official summary revised: CVE-2025-46819 is a vulnerability in Redis, the widely used open-source, in-memory database. The flaw exists in Redis’s Lua scripting functionality and can lead to out-of-bounds memory access or a server crash (denial of service) when processing specially crafted Lua scripts from an authenticated user. In Redis versions 8.2.1 and below, an authenticated user with permission to run Lua scripts can leverage a crafted script to read memory outside its intended bounds or cause the Redis server process to terminate unexpectedly. This results from inadequate handling of data in the Lua interpreter that Redis embeds.There issue is reported on harbor registry pack if used within the kubernetes cluster. Exploitation of this issue would require access to the container and execution of code on the container. Container has safeguards in place to prevent code execution.There is no upstream fix available to fix this vulnerability. Once available, it will be adopted. |
| 01/05/2026 | Status changed from Open to Ongoing |
| 01/05/2026 | Official summary added |