Redis Stack Overflow RCE and Apache bRPC Heap Profiler Command Injection
JFrog Security published a full exploit chain for a high-severity Redis stack buffer overflow, CVE-2025-62507 (CVSS 8.8), affecting Redis 8.2.0–8.2.2. The flaw is in the new XACKDEL command, where Redis fails to bounds-check the number of message IDs copied into a fixed-size stack array, enabling attacker-controlled overwrite of stack memory and potential control of the return address. The research also highlighted that the official Redis Docker image was compiled without stack canary protections, materially lowering exploitation difficulty and enabling practical remote code execution (RCE) via return-oriented techniques.
Separately, a critical remote command-injection issue was reported in Apache bRPC’s built-in heap profiler service, CVE-2025-60021, affecting all versions prior to 1.15.0. The /pprof/heap endpoint fails to sanitize the extra_options parameter before it is incorporated into command execution for jemalloc profiling, allowing unauthenticated attackers to execute arbitrary system commands with the bRPC process’s privileges when the endpoint is exposed to untrusted networks. Recommended remediation is to upgrade to Apache bRPC 1.15.0+ or otherwise disable/restrict access to the vulnerable profiling endpoint in affected deployments.
Timeline
Jan 21, 2026
Redis fixes CVE-2025-62507 in version 8.3.2
Redis resolved the XACKDEL stack overflow vulnerability in version 8.3.2. The issue had exposed vulnerable internet-facing deployments, with cited Shodan data indicating nearly 3,000 exposed servers running affected versions.
Jan 21, 2026
JFrog publicly discloses Redis CVE-2025-62507 exploit chain
JFrog Security Research disclosed a full exploit chain for Redis vulnerability CVE-2025-62507, a stack buffer overflow in the XACKDEL command affecting Redis 8.2.0 through 8.2.2. The researchers showed reliable remote code execution in official Redis Docker containers by leveraging the lack of stack canary protections and building a ROP-based reverse shell exploit.
Jan 20, 2026
Apache bRPC command-injection vulnerability is publicly disclosed
A critical vulnerability, CVE-2025-60021, was disclosed in Apache bRPC's /pprof/heap endpoint, where the extra_options parameter can be abused to execute arbitrary system commands without authentication. Successful exploitation can lead to remote code execution, lateral movement, data theft, service disruption, and persistence.
Jan 20, 2026
Apache bRPC fixes CVE-2025-60021 in version 1.15.0
Apache bRPC addressed a critical command-injection flaw in its built-in heap profiler service in version 1.15.0, with upstream patch PR #3101 also available as a mitigation. The vulnerability affects all earlier versions when the jemalloc profiling endpoint is exposed to untrusted networks.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Critical MongoDB and Redis Flaws Expose Data and Enable Remote Code Execution
Security advisories warned of two severe database software vulnerabilities with immediate internet-facing risk. In MongoDB, an unauthenticated network attacker can trigger an information disclosure flaw—described in some reporting as **MongoBleed**—to make a vulnerable server return sensitive data such as credentials, secrets, and personal information. The issue affects MongoDB releases dating back to about 2017 and stems from insufficient validation in the `zlib` implementation, which can leak uninitialized heap memory allocated to MongoDB. Working exploitation methods are known, and defenders were told to watch for large volumes of malformed or compressed requests, decompression or memory-handling errors, and repeated unauthenticated connections. Patches are available in versions `8.2.3`, `8.0.17`, `7.0.28`, `6.0.27`, `5.0.32`, and `4.4.30`, while end-of-life branches remain unpatched. A separate advisory disclosed a **critical Redis vulnerability** affecting `8.2.1` and earlier when Lua scripting is enabled, which is the default configuration. The flaw is a use-after-free condition that can be triggered by a specially crafted Lua script and may allow **remote arbitrary code execution**, giving an attacker full control of the host running Redis. Officials urged immediate upgrades because the vulnerability is publicly known and exploitation could begin within hours, and they advised organizations to inspect any previously exposed Redis environments for signs of compromise. Fixed versions were listed as `6.2.20`, `7.2.11`, `7.4.6`, `8.0.4`, and `8.2.2`, alongside renewed guidance that Redis instances should not be exposed directly to the public internet.
1 weeks ago
Unpatched internet-facing servers remain exposed to critical RCE flaws in Redis and IceWarp
A long-lived **Redis** memory-corruption flaw dubbed **RediShell** (`CVE-2025-49844`) was reported as a *use-after-free* bug that can lead to **remote code execution** under certain conditions. Although exploitation requires authentication, research noted that tens of thousands of Redis instances have historically been exposed to the internet without authentication enabled, increasing real-world risk; the issue was discovered by **Wiz** and demonstrated at *Pwn2Own Berlin* prior to public disclosure. Separately, **IceWarp** disclosed a critical **unauthenticated RCE** (`CVE-2025-14500`) caused by **OS command injection** in handling of the `X-File-Operation` HTTP header, impacting both Windows and Linux deployments and enabling arbitrary command execution as **SYSTEM/root**. The flaw was reported in September 2025 and fixed in October 2025 across supported product lines, but **Shadowserver** reported more than **1,200** internet-facing on-prem instances still unpatched and said it is notifying affected owners to upgrade.
1 months ago
Critical Remote Code Execution Vulnerability in Redis via Lua Use-After-Free (CVE-2025-49844)
A critical security vulnerability, tracked as CVE-2025-49844, has been identified in Redis, an open-source, in-memory database widely used for caching and data storage. The flaw is rated with a CVSS score of 10.0, indicating maximum severity and potential for significant impact. This vulnerability arises from a use-after-free condition in the Lua scripting engine of Redis, which can be exploited by an authenticated user. By crafting a malicious Lua script, an attacker can manipulate the garbage collector within Redis, triggering the use-after-free bug. Successful exploitation of this flaw allows remote code execution on the affected Redis server, granting attackers the ability to run arbitrary code with the privileges of the Redis process. All Redis versions up to and including 8.2.1 are affected by this vulnerability, as they include the vulnerable Lua scripting functionality. The issue has been addressed in Redis version 8.2.2, which contains the necessary patch to remediate the flaw. As an immediate mitigation for organizations unable to upgrade, Redis administrators are advised to restrict the execution of Lua scripts by disabling the EVAL and EVALSHA commands through Access Control Lists (ACLs). The vulnerability requires authentication, but in environments where Redis is exposed to untrusted users or where credentials are weak, the risk of exploitation is heightened. Security advisories recommend prompt patching and review of user permissions to minimize exposure. The flaw was publicly disclosed in early October 2025, and security researchers have emphasized the critical nature of the bug due to its potential for remote exploitation. No specific products beyond Redis itself have been listed as affected, but any deployment using vulnerable versions is at risk. The vulnerability has been confirmed to be remotely exploitable, making it a high-priority issue for organizations relying on Redis for critical infrastructure. The security community has highlighted the importance of monitoring for suspicious Lua script activity as an additional detection measure. Redis users are urged to consult official advisories and update their systems as soon as possible to prevent compromise. The disclosure underscores the ongoing risks associated with embedded scripting engines in widely deployed software. Organizations should also review their network exposure and ensure Redis instances are not accessible from untrusted networks. The incident serves as a reminder of the importance of timely patch management and the need for defense-in-depth strategies in database deployments.
1 months ago