CVE-2022-24736 - How a Malicious Lua Script Can Crash Your Redis Server

Redis is an extremely popular in-memory database that can persist data to disk. Many modern web apps and tech stacks rely on its blazing speed and flexibility—including support for running embedded Lua scripts through special commands. However, in early 2022, a serious vulnerability (CVE-2022-24736) was discovered that let attackers crash Redis just by sending a specially-crafted Lua script.

In this post, we’ll break down what CVE-2022-24736 is, how it works, give you code snippets to illustrate the problem, and provide details on how to fix or mitigate it for your systems. This guide is exclusive to readers new to Redis security and written in plain English.

1. What is CVE-2022-24736?

CVE-2022-24736 is a vulnerability that affects Redis versions before 6.2.7 and 7... If an attacker manages to send a malicious Lua script—using the EVAL or SCRIPT LOAD commands—the Redis process can crash automatically due to a NULL pointer dereference.

This means your cache, session store, or in-memory app database could suddenly go down, just from a single bad script. Since Redis is often used in the backend without tight network controls, this is a big deal.

2. How Does the Exploit Work?

The problem lies in Redis's embedded Lua engine. Prior to the patched versions, certain poorly written (or maliciously crafted) Lua scripts could trigger a bug in the way Redis handles Lua memory. In simple terms: Redis expects certain memory to exist, but when the wrong script comes along, there’s nothing there—and Redis tries to use a NULL pointer, which causes an immediate crash.

Example Exploit with Lua Script

Here’s a simplified example to show what this looks like in practice.

Let’s say an attacker sends this to your Redis server

-- This is a *malicious* Lua script intentionally crafted to crash Redis
return redis.call()

Normally, redis.call() expects at least one argument (the command to run), but here the script omits it, triggering an edge case in Redis’s parser in vulnerable versions.

You can use the EVAL command to run Lua scripts on Redis

redis-cli EVAL "return redis.call()" 

If your Redis version is vulnerable, running this script will immediately crash the process.

Alternatively, sending a broken script with more complex structure can have the same effect, for example:

redis-cli SCRIPT LOAD "local a = nil; return a.b"

Both examples cause Redis to dereference a NULL pointer inside the Lua engine, crashing the server.

3. References and Original Announcements

- CVE Details: CVE-2022-24736

Original Redis Security Announcement:

GitHub Security Advisory (GHSA-35c7-wxmw-q7vw)
- Redis Issue Tracker: redis/redis#10617
- Official Fix Release Note: Redis 6.2.7 Changelog

4. How To Fix It

The vulnerability is completely patched in Redis versions 6.2.7 and 7... To protect your data and uptime:

Upgrade your Redis installation as soon as possible.

- See Redis releases for the latest version.

5. Workarounds (If You Can’t Upgrade)

If you cannot immediately update Redis, there’s a quick way to mitigate the attack—block access to Lua scripting commands using Access Control Lists (ACLs). This stops outsiders or low-privileged users from running dangerous scripts.

How to Block Lua Scripting Commands

Redis has two key Lua script execution commands: EVAL and SCRIPT LOAD.

You can disable them for all users except your admin by adding or updating ACL rules in your redis.conf file or via the ACL SETUSER command.

Example: In redis.conf (for Redis 6+)

user default on nopass ~* -@all +@basic -EVAL -EVALSHA -SCRIPT

Example: Using CLI

redis-cli ACL SETUSER default on >yourpassword ~* -EVAL -EVALSHA -SCRIPT

This removes the ability to use scripting commands for the default user.

> Important: If your app does not use Lua scripts at all, this workaround is safe and effective. If you *do* need Lua scripts, strongly restrict which users can run them.

6. Final Tips and Summary

- Act quickly: The flaw is trivial to exploit, and Redis is often unprotected on internal networks.

Use strong ACLs: Even after patching, good access controls help prevent other attacks.

- Monitor server logs: If you see unexpected crashes after someone sends a script, you may be under attack.

7. Conclusion

CVE-2022-24736 is a serious Redis vulnerability. It lets anyone with scripting access bring down your Redis node. If you manage any Redis servers, update to 6.2.7 or 7.. ASAP, and use the ACL workaround if you can’t patch right away. For most teams, these fixes are straightforward and will save hours of downtime and lost data.

Stay secure and patch your databases!

*Exclusive security post prepared for you. For more details, always check original advisories and the Redis docs.*

Timeline

Published on: 04/27/2022 20:15:00 UTC
Last modified on: 07/25/2022 18:22:00 UTC