| Package | redis |
|---|---|
| Version | 3:3.2.6-3+deb9u17 (stretch), 5:5.0.14-1+deb10u10 (buster) |
| Related CVEs | CVE-2025-46817 CVE-2025-46819 CVE-2025-49844 |
Multiple vulnerabilities were discovered in Redis, a popular key/value database:
-
CVE-2025-46817: Fix an issue where an authenticated user could have used a specially-crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
-
CVE-2025-46819: Address a potential vulnerability where an authenticated user could have used a specially-crafted Lua script to read out-of-bound data and/or crash the server and thereby create a denial of service attack.
-
CVE-2025-49844: Fix an issue where authenticated users could have exploited a specially-crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution.
For Debian 10 buster, these problems have been fixed in version 5:5.0.14-1+deb10u10.
For Debian 9 stretch, these problems have been fixed in version 3:3.2.6-3+deb9u17.
We recommend that you upgrade your redis packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.