<![CDATA[The contemporary landscape of data management, marked by an unprecedented scale and velocity of data, has spurred the widespread adoption of NoSQL databases, prioritizing scalability and performance over traditional relational constraints. While offering significant flexibility, this paradigm shift introduces complex cybersecurity challenges, notably query injection vulnerabilities, which are consistently ranked among the top web application security risks. Redis, a leading in-memory key-value store powering critical infrastructure globally, presents a unique security profile due to its architectural design and features like Lua scripting. Despite its prevalence, a comprehensive academic evaluation of Redis injection attack vectors remains understudied. This study addresses this gap by systematically evaluating command and Lua script injection vulnerabilities in Redis version 7.4.1 across controlled configurations: default, password-protected, and ACL-secured environments. We quantify vulnerability risk and empirically validate mitigation strategies by employing a Dockerized testing framework, Python-driven exploit simulations, and CVSS v3.1 scoring. Our findings reveal critical weaknesses in default and permissively configured environments and demonstrate that restrictive Access Control Lists (ACLs), adhering to the principle of least privilege, provide complete mitigation against the specific injection vectors evaluated in our controlled experimental setup. We propose a Redis-specific threat taxonomy and provide empirically validated recommendations for securing Redis deployments, emphasizing layered security controls and proper ACL implementation. This research contributes the first systematic evaluation of modern Redis injection vulnerabilities and highlights the critical importance of security-conscious configurations to protect vital data infrastructure.]]>
Copyrights © 2025
