Is Garnet Server Vulnerable like Redis? In Redis, Lua Use-After-Free may lead to remote code execution.

[bharatkumarmori]

A critical security flaw in Redis, a popular in-memory database platform used by about 75% of cloud environments, has left an estimated 60,000 servers vulnerable to remote exploitation.

The flaw, identified as CVE-2025-49844 and nicknamed “RediShell,” carries the maximum severity score of 10.0 under the Common Vulnerability Scoring System (CVSS).

The issue, which has remained undetected for 13 years, lies in Redis’s embedded Lua scripting engine.

This use-after-free vulnerability allows authenticated attackers to upload specially crafted Lua scripts, escape the sandbox and execute arbitrary code on the host.

Do we have similar vulnerability in Garnet Server? We are using Garnet Server for our Caching need and bit curious (and worried) if we have similar issues somewhere in Garnet.

Please see below links for further detail:

1. https://www.infosecurity-magazine.com/news/redis-servers-remote-exploitation/
2. GHSA-4789-qfc9-5f9q
3. https://nvd.nist.gov/vuln/detail/CVE-2025-49844

[kevin-montrose]

While both Garnet and Redis support Lua scripting, there's no code in common between them. Garnet actually embeds a more recent version of Lua at that, so we're not even linking in the same code.

Accordingly this vulneratibility (see diff here for the Redis root cause and fix) would not be applicable to Garnet. You can review our embedding of Lua here and see how different it is from Redis's.