PoC for CVE-2025–49844, CVE-2025–46817 and CVE-2025–46818 Critical Lua Engine Vulnerabilities
HEADS UP! Researchers have disclosed three critical vulnerabilities in Redis 7.4.5’s Lua scripting engine that could allow remote code execution and privilege escalation. The first flaw, CVE-2025–49844, is a use-after-free issue in the Lua parser caused by unprotected TString objects left on the stack during script parsing. The second, CVE-2025–46817, involves an integer overflow in the unpack() function (n = e — i + 1), which can corrupt the stack and enable arbitrary code execution. The third, CVE-2025–46818, enables privilege escalation through writable metatables for basic types such as strings, numbers, and nil, allowing attackers to inject code across user contexts. The researchers have also released a Python proof-of-concept demonstrating all three exploits and recommend immediate patching of affected Redis deployments.
