Rapid7 Vulnerability & Exploit Database

Redis Lua Sandbox Escape

Back to Search

Redis Lua Sandbox Escape



This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. On a typical `redis` deployment (not docker), this module achieves execution as the `redis` user. Debian/Ubuntu packages run Redis using systemd with the "MemoryDenyWriteExecute" permission, which limits some of what an attacker can do. For example, staged meterpreter will fail when attempting to use mprotect. As such, stageless meterpreter is the preferred payload. Redis can be configured with authentication or not. This module will work with either configuration (provided you provide the correct authentication details). This vulnerability could theoretically be exploited across a few architectures: i386, arm, ppc, etc. However, the module only supports x86_64, which is likely to be the most popular version.


  • Reginaldo Silva
  • jbaines-r7




cmd, x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/redis/redis_debian_sandbox_escape
msf exploit(redis_debian_sandbox_escape) > show targets
msf exploit(redis_debian_sandbox_escape) > set TARGET < target-id >
msf exploit(redis_debian_sandbox_escape) > show options
    ...show and set options...
msf exploit(redis_debian_sandbox_escape) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security