CVE-2025-49844

Name of the Vulnerable Software and Affected Versions Redis versions prior to 8.2.2 Redis versions prior to 8.0.4 Redis versions prior to 7.4.6 Redis versions prior to 7.2.11 Redis versions prior to 6.2.20

Description A use-after-free memory corruption issue exists in the Lua scripting engine of Redis, known as RediShell. An authenticated user can execute a specially crafted Lua script to manipulate the Lua Garbage Collector (GC), which is a process that automatically reclaims memory by deleting objects no longer in use. This manipulation allows the attacker to escape the Lua sandbox—an isolated environment designed to restrict script execution—and achieve remote code execution on the underlying host system. This could lead to full system compromise, including the theft of SSH keys and cloud tokens, data exfiltration, or the installation of malware. Approximately 330,000 Redis instances are exposed to the internet, with at least 60,000 lacking authentication, making them highly susceptible to this issue.

Recommendations Update to version 8.2.2, 8.0.4, 7.4.6, 7.2.11, or 6.2.20. As a temporary workaround, restrict the use of the EVAL and EVALSHA commands via Access Control Lists (ACLs) to prevent the execution of Lua scripts. Enforce strong authentication using the requirepass directive. Restrict network access to Redis instances using firewalls and VPCs to ensure they are only accessible from trusted hosts. Run Redis using a non-root user account to limit the impact of a potential compromise.