PoC Exploit Released for Critical Lua Engine Vulnerabilities

Three newly disclosed vulnerabilities have been identified in the Lua scripting engine of Redis 7.4.5, each presenting severe risks of remote code execution and privilege escalation. 

Redrays has released a detailed proof-of-concept (PoC) to exploit these vulnerabilities, which is now publicly available. Organizations are urged to act immediately.

Use-After-Free Flaw (CVE-2025-49844)

This vulnerability arises when TString objects are not properly protected during script parsing. Specifically, in luaY_parser, the Lua parser neglects to safeguard a newly created TString, making it susceptible to premature garbage collection and use-after-free conditions:

The patched code protects the object on the stack before parsing:

Attackers can exploit this issue for remote code execution by carefully triggering garbage collection during the parsing process.

Integer Overflow Vulnerability (CVE-2025-46817)

The unpack() function incorrectly calculates element counts, enabling stack corruption when called with extreme range parameters. 

By manipulating arguments such as unpack({1,2,3}, -2, 2147483647), attackers could bypass array bounds and even execute arbitrary code.

Metatable Privilege Escalation Flaw (CVE-2025-46818)

This flaw allows modification of essential metatables, like those for strings and numbers, because they are not properly protected as read-only. 

By altering metatables, a malicious actor may inject logic that performs privilege escalation or code execution in the context of other users.

RedRays stated that a robust Python-based PoC verifies the criticality of all three vulnerabilities. The PoC automates:

• Aggressive heap and garbage collection stress tests for use-after-free exploitation (CVE-2025-49844),

• Fuzzing of the unpack() call to trigger integer overflow and stack corruption (CVE-2025-46817),

• Manipulation of basic type metatables to prove privilege escalation via crafted Lua scripts (CVE-2025-46818).

The code connects to a target Redis instance and runs up to ten full-stack tests, confirming exploitability and the presence or absence of proper patching. 

These technical checks leverage custom Lua scripts sent via Redis EVAL commands, exposing vulnerable server states and printing crash/output evidence.

CVE	Title	Severity
CVE-2025-49844	Use-After-Free in Lua Parser (deps/lua/src/lparser.c:387)	Critical
CVE-2025-46817	Integer Overflow in unpack() (deps/lua/src/lbaselib.c)	Critical
CVE-2025-46818	Metatable Privilege Escalation (script_lua.c, eval.c)	Critical

Mitigations

Redis administrators must immediately update to patched versions. These CVEs, confirmed by source review and practical exploitation, collectively expand the Redis attack surface, exposing production servers to real-world threats, especially where EVAL access is available. 

Organizations running Redis 7.4.5 should deploy fixes without delay, as attackers can exploit these flaws to achieve full remote code execution and unauthorized privilege escalation.

Immediate patching is essential for all internet-facing or untrusted Redis deployments.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post PoC Exploit Released for Critical Lua Engine Vulnerabilities appeared first on Cyber Security News.