关联漏洞
标题:
Redis 代码注入漏洞
(CVE-2025-46818)
描述:Redis是美国Redis公司的一套开源的使用ANSI C编写、支持网络、可基于内存亦可持久化的日志型、键值(Key-Value)存储数据库,并提供多种语言的API。 Redis 8.2.1及之前版本存在代码注入漏洞,该漏洞源于允许经过身份验证的用户使用特制Lua脚本操作不同LUA对象,可能导致在另一用户环境中运行任意代码。
描述
CVE-2025-46818 – Redis Lua Sandbox Cross-User Escape
介绍
# CVE-2025-46818 – Redis Lua Sandbox Cross-User Escape
Sandbox escape via deprecated Lua APIs and mutable metatables on Redis 8.2.1.
## Overview
Redis 8.2.1 keeps deprecated Lua builtins (`getfenv`, `setfenv`, `newproxy`) exposed to scripts and fails to lock metatables for basic types. An attacker can inject methods into shared metatables, capture privileged environments, and run commands with another user's permissions.
## Environment
- Redis server 8.2.1 (or any vulnerable release before 8.2.2)
- `redis-cli`
- Local network access to the Redis instance
## Files
- [`CVE-2025-46818.lua`](/CVE-2025-46818.lua) – verifies deprecated builtins are present, patches the string metatable, and exposes a helper.
## Usage
```bash
# Setup
redis-cli -h localhost -p 6379 --eval CVE-2025-46818.lua
# Invoke the injected helper (assuming the victim user has higher privileges):
redis-cli -h localhost -p 6379 EVAL "return ('test').escalate()" 0
```
**Expected result:**
On 8.2.1 the initial script reports the deprecated APIs as `true` and confirms the metatable modification. The follow-up call returns the output of `ACL WHOAMI` (or whichever privileged command you swap in). Redis 8.2.2 removes the APIs by default, makes basic metatables read-only, and logs attempts.
## Mitigation
Upgrade to Redis 8.2.2 or later, or disable Lua for untrusted users or run with `lua-enable-deprecated-api no`.
文件快照
[4.0K] /data/pocs/7f2c9e1dddbc10e856ac55dbb588c700c7d9a38d
├── [1.5K] CVE-2025-46818.lua
└── [1.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。