CVE-2024-46981

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-46981. PoCs published by publicqi, xsshk.

AI-analyzed exploit summary This is a functional exploit for CVE-2024-46981 targeting Redis 6.2.11, leveraging a use-after-free vulnerability in Lua scripting to achieve remote code execution via heap manipulation and forged objects.

Description

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Exploits (2)

nomisec WORKING POC 5 stars

by publicqi · poc

https://github.com/publicqi/CVE-2024-46981

View Code ZIP pw:eip

This is a functional exploit for CVE-2024-46981 targeting Redis 6.2.11, leveraging a use-after-free vulnerability in Lua scripting to achieve remote code execution via heap manipulation and forged objects.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Redis 6.2.11

Auth required

Prerequisites: Redis server with Lua scripting enabled · Authentication credentials if required

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by xsshk · poc

https://github.com/xsshk/CVE-2024-46981