rpms/redis

Fork 0

[security][CRITICAL] redis 8.2.1: 5 CVE require triage #1

New issue

Closed

opened 2026-04-29 04:35:46 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:35:46 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: redis
Version: 8.2.1
EVR: 8.2.1-1
Category: database
Policy class: service
NiceOS policy class: -
Owner: base-team
Severity: CRITICAL
Max CVSS: 9.9
CVE count: 5

LLM recommendation / Рекомендация LLM

RU

Уязвимости в Redis 8.2.1 (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819) позволяют удаленное выполнение кода или DoS через Lua-скрипты. Также выявлена уязвимость в XACKDEL (CVE-2025-62507), исправленная в 8.2.3.

Немедленно обновите пакет redis до версии 8.2.2 или выше. Если обновление невозможно, примените ACL для запрета команд EVAL, EVALSHA и XACKDEL.

Рекомендуемое действие: update_package

Подсказка по целевой версии: 8.2.2

Проверки: 1. Проверить версию пакета: rpm -q redis. 2. Проверить наличие уязвимых команд в ACL: redis-cli ACL LIST. 3. Попытаться выполнить Lua скрипт (должно быть заблокировано или работать только в безопасном контексте). 4. Проверить работу команды XACKDEL.

Риски: Полное компрометирование сервера (RCE) при наличии аутентифицированного пользователя с правами на выполнение скриптов. Отказ в обслуживании (DoS) и утечка данных.

EN

Redis 8.2.1 is vulnerable to RCE and DoS via Lua scripts (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819) and a buffer overflow in XACKDEL (CVE-2025-62507).

Immediately update the redis package to version 8.2.2 or higher. If an update is not possible, apply ACL rules to block EVAL, EVALSHA, and XACKDEL commands.

Recommended action: update_package

Target version hint: 8.2.2

Tests: 1. Check package version: rpm -q redis. 2. Check ACL configuration for EVAL/EVALSHA/XACKDEL restrictions: redis-cli ACL LIST. 3. Attempt to execute a malicious Lua script (should be blocked or restricted). 4. Verify XACKDEL command behavior.

Risks: Full server compromise (RCE) if an authenticated user has script execution privileges. Denial of Service (DoS) and data leakage.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2025-49844	CRITICAL	9.9	cpe-range	needs_triage	package version is inside version range
CVE-2025-46817	HIGH	8.8	cpe-range	needs_triage	package version is inside version range
CVE-2025-62507	HIGH	7.7	cpe-range	needs_triage	package version is inside version range
CVE-2025-46818	HIGH	7.3	cpe-range	needs_triage	package version is inside version range
CVE-2025-46819	HIGH	7.1	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2025-49844

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

CVE-2025-46817

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

CVE-2025-62507

Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.

CVE-2025-46818

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

CVE-2025-46819

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-46817",
    "CVE-2025-46818",
    "CVE-2025-46819",
    "CVE-2025-49844",
    "CVE-2025-62507"
  ],
  "fingerprint": "767a66a5e5a40a9d1c3b",
  "generated_at": "2026-04-29T01:35:46Z",
  "package": "redis",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "8.2.1"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `redis` - Version: `8.2.1` - EVR: `8.2.1-1` - Category: `database` - Policy class: `service` - NiceOS policy class: `-` - Owner: `base-team` - Severity: `CRITICAL` - Max CVSS: `9.9` - CVE count: `5` ## LLM recommendation / Рекомендация LLM ### RU Уязвимости в Redis 8.2.1 (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819) позволяют удаленное выполнение кода или DoS через Lua-скрипты. Также выявлена уязвимость в XACKDEL (CVE-2025-62507), исправленная в 8.2.3. Немедленно обновите пакет redis до версии 8.2.2 или выше. Если обновление невозможно, примените ACL для запрета команд EVAL, EVALSHA и XACKDEL. **Рекомендуемое действие:** `update_package` **Подсказка по целевой версии:** `8.2.2` **Проверки:** 1. Проверить версию пакета: rpm -q redis. 2. Проверить наличие уязвимых команд в ACL: redis-cli ACL LIST. 3. Попытаться выполнить Lua скрипт (должно быть заблокировано или работать только в безопасном контексте). 4. Проверить работу команды XACKDEL. **Риски:** Полное компрометирование сервера (RCE) при наличии аутентифицированного пользователя с правами на выполнение скриптов. Отказ в обслуживании (DoS) и утечка данных. ### EN Redis 8.2.1 is vulnerable to RCE and DoS via Lua scripts (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819) and a buffer overflow in XACKDEL (CVE-2025-62507). Immediately update the redis package to version 8.2.2 or higher. If an update is not possible, apply ACL rules to block EVAL, EVALSHA, and XACKDEL commands. **Recommended action:** `update_package` **Target version hint:** `8.2.2` **Tests:** 1. Check package version: rpm -q redis. 2. Check ACL configuration for EVAL/EVALSHA/XACKDEL restrictions: redis-cli ACL LIST. 3. Attempt to execute a malicious Lua script (should be blocked or restricted). 4. Verify XACKDEL command behavior. **Risks:** Full server compromise (RCE) if an authenticated user has script execution privileges. Denial of Service (DoS) and data leakage. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2025-49844 | CRITICAL | 9.9 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-46817 | HIGH | 8.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-62507 | HIGH | 7.7 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-46818 | HIGH | 7.3 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-46819 | HIGH | 7.1 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2025-49844 Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. ### CVE-2025-46817 Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. ### CVE-2025-62507 Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command. ### CVE-2025-46818 Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. ### CVE-2025-46819 Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-46817", "CVE-2025-46818", "CVE-2025-46819", "CVE-2025-49844", "CVE-2025-62507" ], "fingerprint": "767a66a5e5a40a9d1c3b", "generated_at": "2026-04-29T01:35:46Z", "package": "redis", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "8.2.1" } ```

sbelikov added the

labels

2026-04-29 04:35:46 +03:00

sbelikov commented

2026-04-29 18:16:32 +03:00

Author

Owner

Triage result for NiceOS 5.2:

Redis 8.2.1-1 is affected by the CVEs listed in this issue. The target version hint 8.2.2 is not sufficient for the full set, because it covers the Lua-related CVEs but not CVE-2025-62507.

Resolution plan:

Keep Redis within the NiceOS 5.2 stable upstream series: 8.2.x.
Target update: redis 8.2.1 → 8.2.5.
Minimum version required to close this issue: 8.2.3.
Preferred version: 8.2.5, because it stays inside the same 8.2.x series and includes later security fixes from the same branch.

CVE status by target version:

CVE	Status with `8.2.5`	Notes
`CVE-2025-49844`	fixed	fixed upstream in `8.2.2`
`CVE-2025-46817`	fixed	fixed upstream in `8.2.2`
`CVE-2025-46818`	fixed	fixed upstream in `8.2.2`
`CVE-2025-46819`	fixed	fixed upstream in `8.2.2`
`CVE-2025-62507`	fixed	fixed upstream in `8.2.3`

NiceOS policy decision:

Redis should not jump to a newer upstream minor/major line for this security update. For niceos-5.2, the update should remain in the pinned 8.2.x series. I will track/update this as 8.2.5, not as an unrestricted latest upstream bump.

Suggested policy entry:

pinned_versions:
  redis:
    version_prefix: "8.2."
    reason: "NiceOS 5.2 stable policy: keep Redis within the 8.2.x upstream series; cross-series updates require service compatibility and upgrade review"

Required validation before closing:

redis-server --version
redis-cli --version

redis-server --save "" --appendonly no --port 6380 --daemonize yes
redis-cli -p 6380 PING
redis-cli -p 6380 SET niceos:test ok
redis-cli -p 6380 GET niceos:test
redis-cli -p 6380 ACL LIST
redis-cli -p 6380 SHUTDOWN NOSAVE

Close this issue as fixed only after rpms/redis, Core/redis, and niceos-package-index all confirm redis 8.2.5-1.

Triage result for NiceOS 5.2: Redis `8.2.1-1` is affected by the CVEs listed in this issue. The target version hint `8.2.2` is not sufficient for the full set, because it covers the Lua-related CVEs but not `CVE-2025-62507`. Resolution plan: * Keep Redis within the NiceOS 5.2 stable upstream series: `8.2.x`. * Target update: `redis 8.2.1 → 8.2.5`. * Minimum version required to close this issue: `8.2.3`. * Preferred version: `8.2.5`, because it stays inside the same `8.2.x` series and includes later security fixes from the same branch. CVE status by target version: | CVE | Status with `8.2.5` | Notes | | ---------------- | ------------------- | ------------------------- | | `CVE-2025-49844` | fixed | fixed upstream in `8.2.2` | | `CVE-2025-46817` | fixed | fixed upstream in `8.2.2` | | `CVE-2025-46818` | fixed | fixed upstream in `8.2.2` | | `CVE-2025-46819` | fixed | fixed upstream in `8.2.2` | | `CVE-2025-62507` | fixed | fixed upstream in `8.2.3` | NiceOS policy decision: Redis should not jump to a newer upstream minor/major line for this security update. For `niceos-5.2`, the update should remain in the pinned `8.2.x` series. I will track/update this as `8.2.5`, not as an unrestricted latest upstream bump. Suggested policy entry: ```yaml pinned_versions: redis: version_prefix: "8.2." reason: "NiceOS 5.2 stable policy: keep Redis within the 8.2.x upstream series; cross-series updates require service compatibility and upgrade review" ``` Required validation before closing: ```bash redis-server --version redis-cli --version redis-server --save "" --appendonly no --port 6380 --daemonize yes redis-cli -p 6380 PING redis-cli -p 6380 SET niceos:test ok redis-cli -p 6380 GET niceos:test redis-cli -p 6380 ACL LIST redis-cli -p 6380 SHUTDOWN NOSAVE ``` Close this issue as fixed only after `rpms/redis`, `Core/redis`, and `niceos-package-index` all confirm `redis 8.2.5-1`.

sbelikov closed this issue

2026-04-29 18:16:32 +03:00