But it says the lua script feature is open by default, so any authenticated (or 60k without auth) can run lua scripts -> use this RCE

The Lua interpreter in Redis doesn’t allow you to run regular code, you can’t event to “print”, not to talk about load libraries as in regular Lua interpreter. It’s a sanboxed one with very minimal operations you can do

The vulnerability appears to _be_ a Lua sandbox escape.

Surprisingly high numbers of exposed instances to the internet and unauth