Is Factorio affected by CVE-2025-49844?

[ObsoleteAlien]

A critical vulnerability has been reported in Redis: https://redis.io/blog/security-advisory-cve-2025-49844/. This is a bug in the Lua garbage collector which can be exploited by a malicious Lua script, and may lead to RCE (remote code execution). If the bug exists in the Lua version included in Factorio, this could potentially mean that the vulnerability is exploitable by a malicious mod.

I would recommend anyone to avoid updating/installing any mods until Factorio is either updated or verified to not be affected by this vulnerability.

EDIT (TL;DR): the answer to the question in the subject is "no", for those of you who do not want to scroll to the end.

[Kyralessa]

This appears to be an issue in Redis, not in Lua.

Exploitation of this vulnerability requires an attacker to first gain authenticated access to your Redis instance.

[ObsoleteAlien]

As far as I can tell from the CVE, this is a bug in the lua garbage collector? Is it only applicable to Redis then? (Sorry to insist, but I would like to have some official statement from Wube devs on this, before I allow myself to install/update any mods.)

Edit: The "attacker needs authenticated access to Redis" seems to apply to Redis usage only, it is still unclear to me how, if any, impact this has on standalone Lua engines like Factorio.

[Koub]

The issue is in the way Redis is coded, not in LUA itself.

The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host. This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.

(emphasis mine)

Source : https://www.wiz.io/blog/wiz-research-re ... 2025-49844

[h.q.droid]

Despite the wording, it is an issue in the Lua code. I tried the PoC from https://redrays.io/blog/poc-for-cve-202 ... abilities/ . Factorio 2.0.70 seems fine. I used this `control.lua` in a newly created scenario:

Code: Select all

require('__base__/script/freeplay/control.lua')

print("before")

local t = {};
for j=0,1499 do
	t[j] = string.rep('X', 99999+j*777)
end
for i=0,1999 do
	collectgarbage('collect')
	local func, err = load(string.format('local t = {}; for j=1,2000 do t[j] = {} end; return %d',i))
	local success, result_or_err = pcall(func);
	print(result_or_err)
end

-- print(unpack({1,2,3}, -2, 2147483647));
-- print(unpack({1,2,3}, -2147483648, -2));

print("after")

The script runs fine. Uncommenting either of the unpack line results in a script error instead of a crash.

[ObsoleteAlien]

Nice, thank you. My paranoid security-brain can rest a bit easier now.

[BrainGamer_]

Just FYI Lua implementation that Factorio uses is publicly available on GitHub: https://github.com/Rseding91/Factorio-Lua

So if you want to search / test for vulnerabilities you can do so

[h.q.droid]

Just FYI Lua implementation that Factorio uses is publicly available on GitHub: https://github.com/Rseding91/Factorio-Lua

So if you want to search / test for vulnerabilities you can do so

Thanks for the link!

The linked code looks vulnerable: https://github.com/Rseding91/Factorio-L ... er.c#L1634

But the repo is quite old (2.0.46) and I'm not sure whether it reflects the current state.

Edit: I just saw a line above anchoring the closure which seems to indirectly prevent the source from being collected: https://github.com/Rseding91/Factorio-L ... er.c#L1626

So it looks like Factorio team has fixed the bug independently but in a different way, or the code base was forked from a different version without the vulnerability since the code looks very different from the vulnerability analysis.

[BrainGamer_]

But the repo is quite old (2.0.46) and I'm not sure whether it reflects the current state.

The amount of modifications the lua VM internals get is quite low at this point, so the last commit for 2.0.46 should be the current state (at least as far as I know).

[Sanqui]

The team believes the Factorio Lua engine is not affected by this bug.