Become a Redis expert.
See what's new in Redis University
share
As part of an ongoing effort by the Redis Community and Redis to maintain Redis safety, security, and compliance posture, three security vulnerabilities in Redis have been published recently.
[CVE-2024-31449] Lua library commands may be exploited by an authenticated user to achieve remote code execution. CVSS Score: 7.0 (High)
Redis ships with an embedded version of the Lua engine to support the execution of user scripts. The engine handles these scripts and runs them within the context of the Redis database.
An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution.
Any commands executed by exploiting this vulnerability will be run in the context of the user and group that owns the Redis processes.
[CVE-2024-31228] Denial-of-service due to unbounded pattern matching. CVSS Score: 5.5 (Moderate)
An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash.
[CVE-2024-31227] Denial-of-service due to malformed ACL selectors. CVSS Score: 4.4 (Moderate)
An authenticated user with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.
Exposure to these vulnerabilities requires an attacker to gain access to your Redis instance.
There are several steps you can take to protect your Redis from being accessed by a malicious actor. To minimize the risk of exploitation, it’s important to follow these best practices:
For more details on how to securely configure, deploy, and use Redis, visit the Community Edition and Enterprise Software documentation sites.
We’ve already upgraded our Redis Cloud service with the fixes, so no additional action is required from you.
If you’re self-managing Redis, whether Software or Community versions – Upgrade your Redis.
These new versions of Redis OSS, CE, Stack, and Software include the fix, so you should be good once you upgrade.
| Impacted releases | Fixed releases | |
| [CVE-2024-31449] Lua library commands may be exploited by an authenticated user to achieve remote code execution. CVSS Score: 7.0 (High) | All Redis Software releases | • 7.4.2-169 and above • 7.2.4-109 and above • 6.4.2-110 and above • 7.4.6 – all builds • 7.6.0 – all builds (non-GA) • 7.8.0 – all builds (non-GA) |
| All Redis OSS/CE/Stack releases | OSS/CE: • 7.4.1 • 7.2.6 • 6.2.16 Stack: • 7.4.0-v1 • 7.2.0-v13 • 6.2.6-v17 | |
| [CVE-2024-31228] Denial-of-service due to unbounded pattern matching. CVSS Score: 5.5 (Moderate) | All Redis Software releases | • 7.4.2-169 and above • 7.2.4-109 and above • 6.4.2-110 and above • 7.4.6 – all builds • 7.6.0 – all builds (non-GA) • 7.8.0 – all builds (non-GA) |
| All Redis OSS/CE/Stack releases | OSS/CE: • 7.4.1 • 7.2.6 • 6.2.16 Stack: • 7.4.0-v1 • 7.2.0-v13 • 6.2.6-v17 | |
| [CVE-2024-31227] Denial-of-service due to malformed ACL selectors. CVSS Score: 4.4 (Moderate) | No exposure for Redis Software | N/A |
| All Redis OSS/CE/Stack releases 7.0.0 or newer | OSS/CE: • 7.4.1 • 7.2.6 Stack: • 7.4.0-v1 • 7.2.0-v13 |
We have no evidence of exploitation of this vulnerability at Redis or in customer environments.
This isn’t a comprehensive guide, but it is a general recommendation you can adapt to your needs and operating environment.
There are a number of technical and behavior indicators or artifacts that may be created if exploitation of the vulnerability occurred. If you search for these within your Redis environment, you should be able to detect potential exploitation related to your Redis instance.
We thank the following researchers for being so kind as to identify these vulnerabilities and report them through our published process:
