Vulnerability Report

CVE-2024-46981

RCE

Title: Redis RCE

Memory Corruption

Proof Of Concept

PoC Available for CVE-2024-46981

CWE Category CWE-416

Published Date Jan 06, 2025

Modified Date Sep 05, 2025

Exploit Status Available

Score 7.0 CVSS v3.1

Exploit Probability (EPSS)

7.80%

Vulnerability Summary

CVE-2024-46981: Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Impacted Vendors

redislabs 1

anynines 1

redis 1

Reference Links

https://github.com/redis/redis/releases/tag/6.2.17 https://github.com/redis/redis/releases/tag/7.2.7 https://github.com/redis/redis/releases/tag/7.4.2 https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c https://lists.debian.org/debian-lts-announce/2025/01/msg00018.html https://www.vicarius.io/vsociety/posts/cve-2024-46981-detect-redis-vulnerability https://www.vicarius.io/vsociety/posts/cve-2024-46981-mitigate-redis-vulnerability

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.0

Attack Vector

LOCAL

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

9.8

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2024-46981 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/publicqi/CVE-2024-46981

View Code

GitHub https://github.com/xsshk/CVE-2024-46981

View Code

September 05, 2025 MODIFIED

Vulnerability data or affected products updated.

September 05, 2025 MODIFIED

Vulnerability data updated via NVD.

January 06, 2025 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector LOCAL

Complexity HIGH

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.