CVE2026-05-31

Redis Has Had a CVSS 10 RCE for 13 Years

A use-after-free in Redis's Lua scripting engine has been present since 2012. CVSS 10. If you run Redis, you're probably affected.

My take

Thirteen years. This bug was old enough to have its own GitHub account. Every Redis instance running Lua scripts has been carrying this since 2012. This is what I mean when I say the problem isn't sophisticated attacks, it's that we can't keep up with what's already broken in the software we depend on. And now attackers have AI to find these faster than we can patch them.

Terminal

~/security/notes

# check your redis version
$ redis-cli INFO server | grep redis_version
redis_version:7.0.15
# is lua scripting enabled?
$ redis-cli CONFIG GET lua-time-limit
1) "lua-time-limit"
2) "5000"
# if lua is enabled and you're below the patched version,
# you have a CVSS 10 RCE sitting in production right now
$ redis-cli CONFIG SET lua-time-limit 0  # disable as interim mitigation

Takeaway

Patch. Check what's running in your environment. Don't assume your dependencies are safe because they've been around a long time, that just means the bugs have been around a long time too.

← All Notes Discuss