Redis
Redis is an in-memory data structure store used as a cache, session store, and message queue. Redis was designed to run in trusted networks behind a firewall, not exposed directly to the internet. CVEs in Redis frequently involve the Lua scripting engine, integer overflows in command parsing, and sandbox escapes. Several high-severity CVEs in the dataset are specific to Debian and Ubuntu packaging of Redis.
Querying Redis
redis6.2.6, 7.0.0, 7.2.4curl "https://api.attestd.io/v1/check?product=redis&version=6.2.6" \
-H "Authorization: Bearer $ATTESTD_KEY"Redis 6.2.6 is affected by CVE-2022-0543 (Lua sandbox escape on Debian/Ubuntu) and CVE-2021-32625 (integer overflow in STRALGO LCS command). Since Redis 6.2.6 has no required authentication by default, both CVEs return authentication_required: false.
{
"product": "redis",
"version": "6.2.6",
"supported": true,
"risk_state": "high",
"risk_factors": [
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "7.0.0",
"confidence": 0.86,
"cve_ids": ["CVE-2022-0543", "CVE-2021-32625"],
"last_updated": "2026-02-23T18:21:30Z"
}CVE history
Redis CVEs fall into several categories: Lua scripting sandbox escapes, integer overflows in command argument parsing that allow heap corruption, and denial of service via specific command sequences. CVE-2022-0543 is notable because the vulnerability exists in the packaging of Redis by Debian-based distributions, not in the Redis source code itself.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2022-0543 | Lua sandbox escape specific to Debian and Ubuntu packaging. The Debian package exposes the Lua global 'package' variable, allowing a Redis client with Lua scripting access to load arbitrary shared libraries and execute arbitrary code. Affects Debian/Ubuntu installations only, not the official Redis builds. | All versions (Debian/Ubuntu) | 10.0 |
CVE-2021-32625 | Integer overflow in the STRALGO LCS command. A specially crafted command with a very long input string triggers a heap overflow in the LCS (Longest Common Subsequence) implementation, which may allow remote code execution. | 6.0.x, 6.2.x | 7.5 |
CVE-2021-32628 | Integer overflow in the LPOP and RPOP commands when handling list arguments. Providing a count larger than INT_MAX causes a heap overflow that may be exploitable for code execution. | 6.0.x, 6.2.x | 7.5 |
CVE-2022-24736 | Null pointer dereference via the XAUTOCLAIM command when called with an invalid exclusive consumer group range. Causes the Redis server process to crash. No code execution, but allows any connected client to crash the server. | < 7.0 | 5.5 |
CVE-2023-28425 | Denial of service via the SINTERCARD command when called with a negative count argument. The command does not properly validate the count parameter, causing the server to return an incorrect result or crash depending on memory state. | < 7.0.10 | 5.5 |
Vendor namespace change
NVD's CPE vendor identifier for Redis changed in 2021. CVEs filed before the change use the redislabs:redis namespace; CVEs filed after use redis:redis. Querying only one namespace silently misses CVEs from the other. Attestd queries both and deduplicates on CVE ID:
cpe:2.3:a:redis:redis2021 and latercpe:2.3:a:redislabs:redisPre-2021 (includes early Lua and EVAL issues)