## Valkey Security Alert: CVE-2025-46819 Lua Out-of-Bounds Read Threatens Crash, Data Leak
A critical vulnerability, CVE-2025-46819, exposes the Valkey in-memory data store to authenticated attacks that can crash the system or lead to sensitive information disclosure. The flaw is an out-of-bounds read (CWE-125) within the Lua scripting engine, a core component for executing complex operations. This creates a direct path for an authenticated user to trigger instability or extract data from memory, posing a significant security risk to deployments relying on Valkey for high-performance data handling.

The vulnerability is formally tracked under CVE-2025-46819 and GitHub Security Advisory GHSA-4c68-q8q8-3g4f. Independent verification indicates the fix for this specific CVE is currently absent from the Valkey codebase; it has not been found in recent commits or tracked issues. This gap suggests Valkey may have inherited or reintroduced a known Lua engine weakness that has been addressed in its upstream predecessor, Redis.

The immediate remediation path is clear but requires action: administrators must apply the relevant upstream patches developed for Redis to correct the Lua out-of-bounds read. Until this is done, any Valkey instance accessible to authenticated users remains vulnerable to potential denial-of-service or information leakage attacks. The situation underscores the ongoing security maintenance challenges in forked open-source projects and the need for vigilant patch management.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, CVE-2025-46819, database, open-source
- **Credibility**: unverified
- **Published**: 2026-04-09 15:27:28
- **ID**: 57228
- **URL**: https://whisperx.ai/en/intel/57228