CVE-2025-49844

Name of the Vulnerable Software and Affected Versions Redis versions prior to 8.2.2 Redis versions prior to 8.0.4 Redis versions prior to 7.4.6 Redis versions prior to 7.2.11 Redis versions prior to 6.2.20

Description Redis, an open-source, in-memory database, contains a critical vulnerability (CVE-2025-49844, also known as RediShell) stemming from a 13-year-old use-after-free memory corruption issue within its Lua scripting engine. This flaw allows an authenticated user to craft a malicious Lua script that manipulates the garbage collector, escapes the Lua sandbox, and ultimately executes arbitrary code on the host system. Approximately 330,000 Redis instances are exposed to the internet, with around 60,000 lacking authentication, significantly increasing the risk. Successful exploitation could lead to full system compromise, including data theft, malware installation, and lateral movement within a network. While authentication is required for exploitation, the large number of unauthenticated instances makes this a widespread threat. A proof-of-concept exploit is publicly available.

Recommendations Redis versions prior to 8.2.2: Upgrade to version 8.2.2 or later immediately. Redis versions prior to 8.0.4: Upgrade to version 8.0.4 or later immediately. Redis versions prior to 7.4.6: Upgrade to version 7.4.6 or later immediately. Redis versions prior to 7.2.11: Upgrade to version 7.2.11 or later immediately. Redis versions prior to 6.2.20: Upgrade to version 6.2.20 or later immediately.