A recent security audit of Redis 7.4.5 uncovered three severe flaws in the embedded Lua interpreter.
CVE-2025-49844 and CVE-2025-46817 permit remote code execution via a use-after-free in the parser and an integer overflow in the unpack() API.
CVE-2025-46818 allows attackers to escalate privileges by modifying basic type metatables. PoC exploits demonstrate real-world impact, confirming that unpatched instances are highly vulnerable.
https://cyberpress.org/poc-lua-engine-vulnerabilities/