Critical Remote Code Execution Vulnerability in Redis via Lua Use-After-Free (CVE-2025-49844)
A critical security vulnerability, tracked as CVE-2025-49844, has been identified in Redis, an open-source, in-memory database widely used for caching and data storage. The flaw is rated with a CVSS score of 10.0, indicating maximum severity and potential for significant impact. This vulnerability arises from a use-after-free condition in the Lua scripting engine of Redis, which can be exploited by an authenticated user. By crafting a malicious Lua script, an attacker can manipulate the garbage collector within Redis, triggering the use-after-free bug. Successful exploitation of this flaw allows remote code execution on the affected Redis server, granting attackers the ability to run arbitrary code with the privileges of the Redis process. All Redis versions up to and including 8.2.1 are affected by this vulnerability, as they include the vulnerable Lua scripting functionality. The issue has been addressed in Redis version 8.2.2, which contains the necessary patch to remediate the flaw. As an immediate mitigation for organizations unable to upgrade, Redis administrators are advised to restrict the execution of Lua scripts by disabling the EVAL and EVALSHA commands through Access Control Lists (ACLs). The vulnerability requires authentication, but in environments where Redis is exposed to untrusted users or where credentials are weak, the risk of exploitation is heightened. Security advisories recommend prompt patching and review of user permissions to minimize exposure. The flaw was publicly disclosed in early October 2025, and security researchers have emphasized the critical nature of the bug due to its potential for remote exploitation. No specific products beyond Redis itself have been listed as affected, but any deployment using vulnerable versions is at risk. The vulnerability has been confirmed to be remotely exploitable, making it a high-priority issue for organizations relying on Redis for critical infrastructure. The security community has highlighted the importance of monitoring for suspicious Lua script activity as an additional detection measure. Redis users are urged to consult official advisories and update their systems as soon as possible to prevent compromise. The disclosure underscores the ongoing risks associated with embedded scripting engines in widely deployed software. Organizations should also review their network exposure and ensure Redis instances are not accessible from untrusted networks. The incident serves as a reminder of the importance of timely patch management and the need for defense-in-depth strategies in database deployments.
Timeline
Oct 9, 2025
Public PoC and additional mitigation guidance emerge
By October 9, 2025, reporting indicated a public proof-of-concept was available for CVE-2025-49844, increasing exploitation risk. Additional mitigation guidance recommended restricting or disabling the EVAL and EVALSHA commands via ACLs if immediate upgrading was not possible.
Oct 6, 2025
Government advisory urges organizations to apply Redis updates
On October 6, 2025, the Canadian Centre for Cyber Security issued advisory AV25-646, urging administrators to review Redis's security advisory and apply the necessary updates for CVE-2025-49844. The notice reinforced the severity of the issue across multiple Redis product versions using Lua scripting.
Oct 6, 2025
Public technical details highlight internet-exposed Redis risk
By October 6, 2025, public reporting and vendor research described the flaw as 'RediShell,' explained Lua sandbox escape and reverse-shell risks, and warned that roughly 330,000 Redis instances were internet-exposed, including about 60,000 without authentication. Guidance emphasized immediate patching, restricting network access, and disabling or limiting Lua scripting where needed.
Oct 3, 2025
Redis publishes advisory and patches for CVE-2025-49844
On October 3, 2025, Redis disclosed CVE-2025-49844, a critical Lua scripting use-after-free flaw that can allow authenticated remote code execution. Redis released patched versions across affected OSS, Community Edition, Stack, and Enterprise branches, while Redis Cloud users were already protected.
May 1, 2025
Wiz reports Redis Lua RCE at Pwn2Own Berlin
Wiz researchers discovered and reported the Redis Lua use-after-free remote code execution vulnerability, later assigned CVE-2025-49844, at Pwn2Own Berlin in May 2025. The flaw had reportedly existed in Redis code for about 13 years.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like the hacker news, dark reading, sysdig blog, hackread and cyberthrone
Related Stories
Critical MongoDB and Redis Flaws Expose Data and Enable Remote Code Execution
Security advisories warned of two severe database software vulnerabilities with immediate internet-facing risk. In MongoDB, an unauthenticated network attacker can trigger an information disclosure flaw—described in some reporting as **MongoBleed**—to make a vulnerable server return sensitive data such as credentials, secrets, and personal information. The issue affects MongoDB releases dating back to about 2017 and stems from insufficient validation in the `zlib` implementation, which can leak uninitialized heap memory allocated to MongoDB. Working exploitation methods are known, and defenders were told to watch for large volumes of malformed or compressed requests, decompression or memory-handling errors, and repeated unauthenticated connections. Patches are available in versions `8.2.3`, `8.0.17`, `7.0.28`, `6.0.27`, `5.0.32`, and `4.4.30`, while end-of-life branches remain unpatched. A separate advisory disclosed a **critical Redis vulnerability** affecting `8.2.1` and earlier when Lua scripting is enabled, which is the default configuration. The flaw is a use-after-free condition that can be triggered by a specially crafted Lua script and may allow **remote arbitrary code execution**, giving an attacker full control of the host running Redis. Officials urged immediate upgrades because the vulnerability is publicly known and exploitation could begin within hours, and they advised organizations to inspect any previously exposed Redis environments for signs of compromise. Fixed versions were listed as `6.2.20`, `7.2.11`, `7.4.6`, `8.0.4`, and `8.2.2`, alongside renewed guidance that Redis instances should not be exposed directly to the public internet.
1 weeks ago
Unpatched internet-facing servers remain exposed to critical RCE flaws in Redis and IceWarp
A long-lived **Redis** memory-corruption flaw dubbed **RediShell** (`CVE-2025-49844`) was reported as a *use-after-free* bug that can lead to **remote code execution** under certain conditions. Although exploitation requires authentication, research noted that tens of thousands of Redis instances have historically been exposed to the internet without authentication enabled, increasing real-world risk; the issue was discovered by **Wiz** and demonstrated at *Pwn2Own Berlin* prior to public disclosure. Separately, **IceWarp** disclosed a critical **unauthenticated RCE** (`CVE-2025-14500`) caused by **OS command injection** in handling of the `X-File-Operation` HTTP header, impacting both Windows and Linux deployments and enabling arbitrary command execution as **SYSTEM/root**. The flaw was reported in September 2025 and fixed in October 2025 across supported product lines, but **Shadowserver** reported more than **1,200** internet-facing on-prem instances still unpatched and said it is notifying affected owners to upgrade.
1 months ago
Redis Stack Overflow RCE and Apache bRPC Heap Profiler Command Injection
**JFrog Security** published a full exploit chain for a high-severity Redis stack buffer overflow, **CVE-2025-62507** (CVSS 8.8), affecting **Redis 8.2.0–8.2.2**. The flaw is in the new `XACKDEL` command, where Redis fails to bounds-check the number of message IDs copied into a fixed-size stack array, enabling attacker-controlled overwrite of stack memory and potential control of the return address. The research also highlighted that the *official Redis Docker image* was compiled **without stack canary protections**, materially lowering exploitation difficulty and enabling practical **remote code execution (RCE)** via return-oriented techniques. Separately, a critical remote command-injection issue was reported in **Apache bRPC**’s built-in heap profiler service, **CVE-2025-60021**, affecting **all versions prior to 1.15.0**. The `/pprof/heap` endpoint fails to sanitize the `extra_options` parameter before it is incorporated into command execution for jemalloc profiling, allowing **unauthenticated** attackers to execute arbitrary system commands with the bRPC process’s privileges when the endpoint is exposed to untrusted networks. Recommended remediation is to **upgrade to Apache bRPC 1.15.0+** or otherwise disable/restrict access to the vulnerable profiling endpoint in affected deployments.
1 months ago