CVE-2025-49844

Name of the Vulnerable Software and Affected Versions Redis versions prior to 8.2.2 Redis versions prior to 8.0.4 Redis versions prior to 7.4.6 Redis versions prior to 7.2.11 Redis versions prior to 6.2.20

Description Redis contains a Lua scripting vulnerability that can lead to remote code execution (RCE). This flaw, dubbed RediShell (CVE-2025-49844), is a use-after-free memory corruption issue present in the Lua scripting engine. An authenticated attacker can exploit this by sending a specially crafted Lua script, escaping the Lua sandbox, and executing arbitrary code on the host system. Approximately 330,000 Redis instances are exposed to the internet, with around 60,000 lacking authentication, increasing the risk of exploitation. The vulnerability has existed for 13 years. Successful exploitation can allow attackers to steal credentials, deploy malware, or move laterally within a network. The EVAL and EVALSHA commands are involved in the exploitation process.

Recommendations Upgrade Redis to version 8.2.2 or later. Upgrade Redis to version 8.0.4 or later. Upgrade Redis to version 7.4.6 or later. Upgrade Redis to version 7.2.11 or later. Upgrade Redis to version 6.2.20 or later. Restrict the use of the EVAL and EVALSHA commands via Access Control Lists (ACLs) as a temporary mitigation. Ensure Redis instances are not directly exposed to the internet. Enforce strong authentication for all Redis instances. Run Redis with a non-privileged user account. Implement network restrictions to limit access to Redis instances.