ALAS2REDIS6-2025-015

Amazon Linux 2 Security Advisory: ALAS2REDIS6-2025-015
Advisory Released Date: 2025-10-14
Advisory Updated Date: 2025-10-14

Severity: Important

References: CVE-2025-46817 CVE-2025-46818 CVE-2025-46819 CVE-2025-49844
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. (CVE-2025-46817)

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. (CVE-2025-46818)

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. (CVE-2025-46819)

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. (CVE-2025-49844)

Affected Packages:

redis

Note:

This advisory is applicable to Amazon Linux 2 - Redis6 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update redis or yum update --advisory ALAS2REDIS6-2025-015 to update your system.

New Packages:

aarch64:
    redis-6.2.20-2.amzn2.0.1.aarch64
    redis-devel-6.2.20-2.amzn2.0.1.aarch64
    redis-debuginfo-6.2.20-2.amzn2.0.1.aarch64

noarch:
    redis-doc-6.2.20-2.amzn2.0.1.noarch

src:
    redis-6.2.20-2.amzn2.0.1.src

x86_64:
    redis-6.2.20-2.amzn2.0.1.x86_64
    redis-devel-6.2.20-2.amzn2.0.1.x86_64
    redis-debuginfo-6.2.20-2.amzn2.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49844

Mitre: CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49844