Latest Valkey vulnerabilities #
Certain versions of LF Projects' Valkey are affected by four vulnerabilities in its Lua scripting functionality, mirroring vulnerabilities disclosed in its upstream project, Redis (GHSA-4789-qfc9-5f9q, GHSA-m8fj-85cg-7vhp, GHSA-qrv7-wcrx-q5jp, and GHSA-4c68-q8q8-3g4f). As an open-source fork, Valkey shares a significant portion of the same codebase, making it susceptible to the same vulnerabilities.
For one of these shared vulnerabilities, Valkey published its own independent advisory, GHSA-9rfg-jx7v-52p6, which corresponds to the Redis advisory GHSA-4789-qfc9-5f9q. Valkey's release notes acknowledge all four of the shared CVE IDs.
- A remote, low-privileged adversary may use a specially crafted Lua script to manipulate the garbage collector, triggering a use-after-free vulnerability that could lead to remote code execution (RCE). This vulnerability has been designated CVE-2025-49844 and has been rated critical with a CVSS score of 10.0.
- A local, low-privileged adversary may use a specially crafted Lua script to cause an integer overflow that could lead to RCE. This vulnerability has been designated CVE-2025-46817 and has been rated high with a CVSS score of 7.0.
- A local, low-privileged adversary may use a specially crafted Lua script to manipulate different Lua objects and potentially execute arbitrary code in the context of another user. This vulnerability has been designated CVE-2025-46818 and has been rated medium with a CVSS score of 6.0.
- A local, low-privileged adversary may use a specially crafted Lua script to read out-of-bounds data or crash the server causing a denial-of-service (DoS). This vulnerability has been designated CVE-2025-46819 and has been rated medium with a CVSS score of 6.3.
The following versions are affected
- Valkey 7.2.x versions prior to 7.2.11
- Valkey 8.0.x versions prior to 8.0.6
- Valkey 8.1.x versions prior to 8.1.4
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Valkey 7.2.x upgrade to version 7.2.11 or later
- Valkey 8.0.x upgrade to version 8.0.6 or later
- Valkey 8.1.x upgrade to version 8.1.4 or later
How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
(vendor:=valkey OR vendor:="Fedora Project") AND product:=valkey AND (version:>0 AND ((version:>=7.2 AND version:<7.2.11) OR (version:>=8.0 AND version:<8.0.6) OR (version:>=8.1 AND version:<8.1.4)))
