CVE-2024-31449

HIGH EPSS 90.3%

Published Oct 7, 20241y ago · Modified Jun 17, 20261w ago

8.8 CVSS 3.1

High

Published Oct 7, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Details

Base Score

8.8

Exploitability

2.8

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

90.3% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 2

CWE-121

CWE-20 Improper Input Validation Validation

Affected Products 5

Vendor	Product	Version	Range
redis	redis	*	≥2.8.18 – <6.2.16
redis	redis	*	≥7.2.0 – <7.2.6
redis	redis	7.4.0	any
redis	redis	7.4.0	any
redis	redis	7.4.0	any

References 2

github.com https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9

Patch
github.com https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5

Vendor Advisory

Remediation

github.com https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9

Patch