Redis Lua Sandbox Escape Remote Code Execution (CVE-2022-0543)
Overview
Redis Lua Sandbox Escape Remote Code Execution, tracked as CVE-2022-0543, affects Redis packages built with a Debian-specific packaging issue. Redis itself is widely used as an in-memory data store, cache, queue backend, and session storage layer, which makes exposed vulnerable instances a serious infrastructure risk.
Vulnerability Overview
CVE-2022-0543 is a Lua sandbox escape in Redis packages affected by Debian's packaging changes. Redis supports Lua scripting for server-side operations, and that scripting environment is expected to be restricted. In the vulnerable packages, the sandbox was not sufficiently isolated, allowing behavior that could lead to arbitrary code execution.
The issue is important because it is not a general Redis upstream vulnerability across every distribution. It is tied to affected Debian-specific Redis packages and downstream environments that shipped the vulnerable packaging.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 10.0. Successful exploitation can result in remote code execution with high confidentiality, integrity, and availability impact.
The risk is highest when a vulnerable Redis service is reachable by untrusted users. CVE-2022-0543 is listed in the CISA Known Exploited Vulnerabilities catalog, confirming that it has been exploited in real-world environments.
Vulnerability Scope
The affected scope centers on Debian-specific Redis packages, with NVD also identifying affected downstream Linux distribution packages. Debian published DSA-5081 to address the issue.
Systems using fixed distribution packages, avoiding public exposure of Redis, and enforcing network-level access controls reduce or remove the vulnerable condition.
Lab Focus
This Hackviser lab focuses on understanding how package-level changes can alter the security boundary of an otherwise restricted runtime. You will practice identifying vulnerable Redis packaging, recognizing why Lua sandbox isolation matters, and mapping the CVE impact to practical hardening decisions.