An Empirical Analysis of Injection Attack Vectors and Mitigation Strategies in Redis NoSQL Database

Authors

  • Muhammad Nazeer Musa Nigeria Defence Academy
  • Martins Ekata Irhebhude Nigerian Defence Academy

DOI:

https://doi.org/10.62411/jcta.12640

Keywords:

Access Control Lists, Command Injection, Database Security, Lua Script Injection, NoSQL Injection, Redis, Vulnerability Assessment

Abstract

The contemporary landscape of data management, marked by an unprecedented scale and velocity of data, has spurred the widespread adoption of NoSQL databases, prioritizing scalability and performance over traditional relational constraints. While offering significant flexibility, this paradigm shift introduces complex cybersecurity challenges, notably query injection vulnerabilities, which are consistently ranked among the top web application security risks. Redis, a leading in-memory key-value store powering critical infrastructure globally, presents a unique security profile due to its architectural design and features like Lua scripting. Despite its prevalence, a comprehensive academic evaluation of Redis injection attack vectors remains understudied. This study addresses this gap by systematically evaluating command and Lua script injection vulnerabilities in Redis version 7.4.1 across controlled configurations: default, password-protected, and ACL-secured environments. We quantify vulnerability risk and empirically validate mitigation strategies by employing a Dockerized testing framework, Python-driven exploit simulations, and CVSS v3.1 scoring. Our findings reveal critical weaknesses in default and permissively configured environments and demonstrate that restrictive Access Control Lists (ACLs), adhering to the principle of least privilege, provide complete mitigation against the specific injection vectors evaluated in our controlled experimental setup. We propose a Redis-specific threat taxonomy and provide empirically validated recommendations for securing Redis deployments, emphasizing layered security controls and proper ACL implementation. This research contributes the first systematic evaluation of modern Redis injection vulnerabilities and highlights the critical importance of security-conscious configurations to protect vital data infrastructure.

Author Biographies

Muhammad Nazeer Musa, Nigeria Defence Academy

Department of Cyber Security, Nigerian Defence Academy, Kaduna, PMB 2109, Nigeria

Martins Ekata Irhebhude, Nigerian Defence Academy

Department of Computer Science, Nigerian Defence Academy, Kaduna, PMB 2109 Nigeria

References

S. Gilbert and N. Lynch, “Perspectives on the CAP Theorem,” Computer (Long. Beach. Calif)., vol. 45, no. 2, pp. 30–36, Feb. 2012, doi: 10.1109/MC.2011.389.

K. Grolinger, W. A. Higashino, A. Tiwari, and M. A. Capretz, “Data management in cloud environments: NoSQL and NewSQL data stores,” J. Cloud Comput. Adv. Syst. Appl., vol. 2, no. 1, p. 22, Dec. 2013, doi: 10.1186/2192-113X-2-22.

H. B. S. Reddy, R. R. S. Reddy, R. Jonnalagadda, P. Singh, and A. Gogineni, “Analysis of the Unexplored Security Issues Common to All Types of NoSQL Databases,” Asian J. Res. Comput. Sci., pp. 1–12, May 2022, doi: 10.9734/ajrcos/2022/v14i130323.

S. Sicari, A. Rizzardi, and A. Coen-Porisini, “Security&privacy issues and challenges in NoSQL databases,” Comput. Networks, vol. 206, p. 108828, Apr. 2022, doi: 10.1016/j.comnet.2022.108828.

D. Van Landuyt, V. Wijshoff, and W. Joosen, “A study of NoSQL query injection in Neo4j,” Comput. Secur., vol. 137, p. 103590, Feb. 2024, doi: 10.1016/j.cose.2023.103590.

OWASP Foundation, “OWASP Top Ten,” owaps.org, 2022. https://owasp.org/www-project-top-ten/

S. Patil, M. Rao, L. Misal, D. Phaldesai, and K. Shivsharan, “A Review of the OW ASP Top 10 Web Application Security Risks and Best Practices for Mitigating These Risks,” in 2023 7th International Conference On Computing, Communication, Control And Automation (ICCUBEA), Aug. 2023, pp. 1–8. doi: 10.1109/ICCUBEA58933.2023.10392030.

J. L. Carlson, Redis in Action. Manning Publications Co., 2013.

X. Qi, H. Hu, X. Wei, C. Huang, X. Zhou, and A. Zhou, “High Performance Design for Redis with Fast Event-Driven RDMA RPCs,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12112 LNCS, 2020, pp. 195–210. doi: 10.1007/978-3-030-59410-7_12.

J. Zablocki, M. Daniel, C. Shantanu, S. Pramod, and L. Jianbo, “Real-time detection and clustering of emerging fraud patterns,” 2021 [Online]. Available: https://patents.justia.com/patent/10938853

DB-Engines, “DB-Engines - Knowledge Base of Relational and NoSQL Database Management Systems,” DB-Engines. 2024. [Online]. Available: https://db-engines.com/en/

G. Kaur and J. Kaur, “In-Memory Data processing using Redis Database,” Int. J. Comput. Appl., vol. 180, no. 25, pp. 26–31, Mar. 2018, doi: 10.5120/ijca2018916589.

V. C. Hu, “Access control on NoSQL databases,” May 2024. doi: 10.6028/NIST.IR.8504.

X. Chen, J. Jiang, W. Zhang, and X. Xia, “Fault Diagnosis for Open Source Software Based on Dynamic Tracking,” in 2020 7th International Conference on Dependable Systems and Their Applications (DSA), Nov. 2020, pp. 263–268. doi: 10.1109/DSA51864.2020.00047.

V. Das, Learning Redis. Packt Publishing Ltd, 2015.

Q. Castro, “Security Advisory: CVE-2024-31449, CVE-2024-31227, CVE-2024-31228,” Redis.io, 2024. https://redis.io/blog/security-advisory-cve-2024-31449-cve-2024-31227-cve-2024-31228/

A. Johns, “Redis Injection Vulnerabilities in LLM-Powered RAG Systems,” Secure Cortex Blog, 2024. https://blog.securecortex.com/2024/10/large-language-models-injections-in-rag.html

E. Ankomah et al., “A Comparative Analysis of Security Features and Concerns in NoSQL Databases,” in Communications in Computer and Information Science, vol. 1726 CCIS, 2022, pp. 349–364. doi: 10.1007/978-981-19-8445-7_22.

B. Hou, K. Qian, L. Li, Y. Shi, L. Tao, and J. Liu, “MongoDB NoSQL Injection Analysis and Detection,” in 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), Jun. 2016, pp. 75–78. doi: 10.1109/CSCloud.2016.57.

N. Gupta and R. Agrawal, “NoSQL Security,” in Advances in Computers, vol. 109, Academic Press Inc., 2018, pp. 101–132. doi: 10.1016/bs.adcom.2018.01.003.

V. Sachdeva, “Vulnerability Assesment For Advanced Injection Attacks Against Mongodb,” J. Mech. Contin. Math. Sci., vol. 14, no. 1, pp. 402–413, Feb. 2019, doi: 10.26782/jmcms.2019.02.00028.

S. Dwivedi, R. Balaji, P. Ampatt, and S. D. Sudarsan, “A Survey on Security Threats and Mitigation Strategies for NoSQL Databases,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14424 LNCS, 2023, pp. 57–76. doi: 10.1007/978-3-031-49099-6_4.

D. Fiser, “More Than 8,000 Unsecured Redis Instances Found in the Cloud,” Trend Micro, 2020. https://www.trendmicro.com/en_us/research/20/d/more-than-8-000-unsecured-redis-instances-found-in-the-cloud.html?_ga=2.23954494.54084514.1736434217-1683098876.1736259621

C. Carlos, M. Steven, and R. Peter, Database System: Design, Implementation, and Management. 2018.

T. Macedo and F. Oliviera, Redis Cookbook, First. O’Reilly Media Inc,., 2011.

R. Rao, “What Databaseless (DBLess) Architecture Is—and Why It’s the Future,” Redis.io. 2021. [Online]. Available: https://redis.io/blog/dbless-architecture-and-why-its-the-future/

D. Eddelbuettel, “Redis for Market Monitoring,” arXiv. Mar. 15, 2022. [Online]. Available: http://arxiv.org/abs/2203.08323

G. Muradova, M. Hematyar, and J. Jamalova, “Advantages of Redis in-memory database to efficiently search for healthcare medical supplies using geospatial data,” in 2022 IEEE 16th International Conference on Application of Information and Communication Technologies (AICT), Oct. 2022, pp. 1–5. doi: 10.1109/AICT55583.2022.10013544.

R. Ajeet, “Top 5 Reasons Why DevOps Teams Love Redis Enterprise,” Redis.io, 2020. https://redis.io/blog/why-devops-teams-love-redis-enterprise/

T. Fiebig, A. Feldmann, and M. Petschick, “A One-Year Perspective on Exposed In-memory Key-Value Stores,” in Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, Oct. 2016, pp. 17–22. doi: 10.1145/2994475.2994480.

R. A. G. Sanchez, D. J. M. Bernal, and H. D. J. Parada, “Security assessment of Nosql Mongodb, Redis and Cassandra database managers,” in 2021 Congreso Internacional de Innovación y Tendencias en Ingeniería (CONIITI), Sep. 2021, pp. 1–7. doi: 10.1109/CONIITI53815.2021.9619597.

Asadulla Khan Zaki and Indiramma M., “A novel redis security extension for NoSQL database using authentication and encryption,” in 2015 IEEE International Conference on Electrical, Computer and Communication Technologies (ICECCT), Mar. 2015, pp. 1–6. doi: 10.1109/ICECCT.2015.7226101.

A. Costin, “Lua Code: Security Overview and Practical Approaches to Static Analysis,” in 2017 IEEE Security and Privacy Workshops (SPW), May 2017, vol. 2017-Decem, pp. 132–142. doi: 10.1109/SPW.2017.38.

A. Stasinopoulos, C. Ntantogian, and C. Xenakis, “Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications,” Int. J. Inf. Secur., vol. 18, no. 1, pp. 49–72, Feb. 2019, doi: 10.1007/s10207-018-0399-z.

S. Kairoju, R. Sultana, and P. Danidharia, “Security Audit of NoSQL DBMS,” ERA: Education and Research Archive. 2021. [Online]. Available: https://era.library.ualberta.ca/items/6b114eb6-3c87-4db5-8571-1cb3a5fb6cb1/download/13d0ae5c-57b6-4cc4-9f12-5e66a706b579

R. M. A. and N. H. Ashwaq A. Alotaibi, Reem M. Alotaibi and Nermin Hamza, Ashwaq A. Alotaibi, “Access Control Models in NoSQL Databases: An Overview,” J. King Abdulaziz Univ. Comput. Inf. Technol. Sci., vol. 8, no. 1, pp. 1–9, Mar. 2019, doi: 10.4197/Comp.8-1.1.

U. Saxena and S. Sachdeva, “An Insightful View on Security and Performance of NoSQL Databases,” in Communications in Computer and Information Science, vol. 799, 2018, pp. 643–653. doi: 10.1007/978-981-10-8527-7_54.

K. Fahd, S. Venkatraman, and F. Khan Hammeed, “A Comparative Study of NOSQL System Vulnerabilities with Big Data,” Int. J. Manag. Inf. Technol., vol. 11, no. 4, pp. 1–19, Nov. 2019, doi: 10.5121/ijmit.2019.11401.

A. Nikiforova, A. Daskevics, and O. Azeroual, “NoSQL Security: Can My Data-driven Decision-making Be Influenced from Outside?,” in Big Data and Decision-Making: Applications and Uses in the Public and Private Sector, Emerald Publishing Limited, 2023, pp. 59–73. doi: 10.1108/978-1-80382-551-920231005.

W. G. J. Halfond, J. Viegas, and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,” College of Computing Georgia Institute of Technology, 2008. https://faculty.cc.gatech.edu/~orso/papers/halfond.viegas.orso.ISSSE06.pdf

N. Yaakov and O. Itach, “New Redis Backdoor Malware,” Aqua Nautilus Discovers Redigo, 2022. https://www.aquasec.com/blog/redigo-redis-backdoor-malware/

National Institute of Standards Technology (NIST), “NVD - CVE-2022-0543,” National Vulnerability Database (NVD), 2022. https://nvd.nist.gov/vuln/detail/cve-2022-0543

National Institute of Standards Technology (NIST), “NVD - CVE-2024-46981,” National Vulnerability Database, 2024.

National Institute of Standards Technology (NIST), “NVD - CVE-2021-29477,” National Vulnerability Database, 2021. https://nvd.nist.gov/vuln/detail/cve-2021-29477

National Institute of Standards Technology (NIST), “NVD - CVE-2021-32762,” National Vulnerability Database, 2021. https://nvd.nist.gov/vuln/detail/cve-2021-32762

D. Fiser and J. Horejsi, “Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining,” Trend Micro, 2020. https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html

National Institute of Standards Technology (NIST), “NVD - CVE-2021-32627,” National Vulnerability Database, 2021. https://nvd.nist.gov/vuln/detail/cve-2021-32627

National Institute of Standards Technology (NIST), “NVD - CVE-2020-4670,” National Vulnerability Database, 2020. https://nvd.nist.gov/vuln/detail/cve-2020-4670

Forum of Incident Response and Security Teams (FIRST), “Common Vulnerability Scoring System version 3.1: Specification Document,” first.org, 2019. https://www.first.org/cvss/v3-1/specification-document

W. H. Douglas and R. Seiersen, How to Measure Anything in Cybersecurity Risk. John Wiley & Sons, Inc, 2023. [Online]. Available: https://www.wiley.com/en-us/How+to+Measure+Anything+in+Cybersecurity+Risk%2C+2nd+Edition-p-9781119892304

Downloads

Published

2025-05-18

How to Cite

Musa, M. N., & Irhebhude, M. E. (2025). An Empirical Analysis of Injection Attack Vectors and Mitigation Strategies in Redis NoSQL Database. Journal of Computing Theories and Applications, 2(4), 553–571. https://doi.org/10.62411/jcta.12640

Issue

Vol. 2 No. 4 (2025): JCTA 2(4) 2025

Section

Articles

License

Copyright (c) 2025 Muhammad Nazeer Musa, Martins Ekata Irhebhude

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.