Summary[/+]
[+]Kvrocks uses a Lua library (RocksLabs/lua) that contains a critical use-after-free vulnerability (CVE-2025-49844), originally from Redis. The luaY_parser() function does not protect the TString created by luaS_new() on the Lua stack, allowing GC to free it during parsing. This can be exploited for remote code execution.[/+]
[+]Discovered at Pwn2Own Berlin 2025 by Wiz.[/+]
[+]## Details[/+]
[+]- CVE: CVE-2025-49844[/+]
[+]- Vulnerable Code: src/lparser.c in RocksLabs/lua[/+]
[+]- Impact: Remote Code Execution (authenticated)[/+]
[+]- Note: Affects PUC Lua fallback path (-DENABLE_LUAJIT=OFF). Default LuaJIT path is not affected.[/+]
[+]## Fix[/+]
[+]In luaY_parser(), anchor the TString to the Lua stack:[/+]
[+]c[/+] [+]TString *tname = luaS_new(L, name);[/+] [+]setsvalue2s(L, L->top, tname);[/+] [+]incr_top(L);[/+] [+]luaX_setinput(L, &lexstate, z, tname);[/+] [+][/+]
[+]And add --L->top; after close_func().[/+]
[+]Upstream Redis fix: redis/redis@d5728cb
Summary[/+]
[+]Kvrocks uses a Lua library (RocksLabs/lua) that contains a critical use-after-free vulnerability (CVE-2025-49844), originally from Redis. The
luaY_parser()function does not protect theTStringcreated byluaS_new()on the Lua stack, allowing GC to free it during parsing. This can be exploited for remote code execution.[/+][+]Discovered at Pwn2Own Berlin 2025 by Wiz.[/+]
[+]## Details[/+]
[+]- CVE: CVE-2025-49844[/+]
[+]- Vulnerable Code:
src/lparser.cin RocksLabs/lua[/+][+]- Impact: Remote Code Execution (authenticated)[/+]
[+]- Note: Affects PUC Lua fallback path (
-DENABLE_LUAJIT=OFF). Default LuaJIT path is not affected.[/+][+]## Fix[/+]
[+]In
luaY_parser(), anchor the TString to the Lua stack:[/+][+]
c[/+] [+]TString *tname = luaS_new(L, name);[/+] [+]setsvalue2s(L, L->top, tname);[/+] [+]incr_top(L);[/+] [+]luaX_setinput(L, &lexstate, z, tname);[/+] [+][/+][+]And add
--L->top;afterclose_func().[/+][+]Upstream Redis fix: redis/redis@d5728cb