Why is this bad? Do you run user-authored lua scripts against your redis?

Do you have your redis exposed without any authentication on the public internet?

If you do either of those, sure, this is bad for you.

I've worked with quite a few redis setups and know the details of even more, I do not know a single redis setup which would be vulnerable to this.

I've never heard a single instance of someone deciding that redis's lua sandbox is secure enough that they'll let their users upload arbitrary lua code and run it, and trust the lua sandbox to keep that redis box safe.

Like, because it's a use-after-free in the lua environment which requires a malicious lua script, this is just such a giant nothing-burger to me and every redis setup I've ever used, all of which only run trusted lua scripts.

> Do you have your redis exposed without any authentication on the public internet?

I will somewhat ashamedly admit to having had a test/development Redis server running on EC2 exploited because I did that. In my defence, it was purely a development/learning exercise and had no real data on it. And it was about 10 years ago. It was an important learning opportunity for me.