VSA-2025-005: Redis vulnerabilities
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2025-10-09 | 2025-10-09 | 🟢 Low | 10.0 and 8.8 | - None |
Several XSAs and their associated CVEs were published. For Vates products, we classify the impact as Low, as none of Vates products are directly impacted. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
CVE-2025-49844 - A vulnerability exists in Redis that would allow an authenticated user to inject malicious LUA script to manipulate the garbage collector, trigger a use-after-free (UAF) and potentially lead to remote code execution (RCE).
CVE-2025-46817 - A vulnerability exists in Redis that would allow an authenticated user to inject malicious LUA script to cause an integer overflow and potentially lead to remote code execution (RCE).
CVE-2025-46818 - A vulnerability exists in Redis that would allow an authenticated user to inject malicious LUA script to manipulate different LUA objects and potentially run their own code in the context of another user.
CVE-2025-46819 - A vulnerability exists in Redis that would allow an authenticated user to inject malicious LUA script to read out-of-bound data or crash the server and subsequent denial of service.
Impact​
For XOA, there is no impact, because Redis does not listen outside of localhost. You are not affected.
Affected Versions​
- Xen Orchestra Appliance (XOA): Not affected.
Mitigation​
There is no mitigation as XO is not impacted. If you have changed your Redis configuration to listen outside of localhost, we recommend reverting to the default setting.
Resolution​
- For XOA users, the update is done daily by the unattended-upgrades package, you can check the installed version with
apt show redis(The version of Redis should be >= 5:7.0.15-1~deb12u6) - For XO from source using debian, this has been fixed in upstream version 8.2.2, please check your distribution's security pages for more information.
Credits​
Thanks to Wiz (link in reference) for discovering and reporting this vulnerability in Redis.