CVE-2025-49844

Name of the Vulnerable Software and Affected Versions Redis versions prior to 8.2.2 Redis versions prior to 8.0.4 Redis versions prior to 7.4.6 Redis versions prior to 7.2.11 Redis versions prior to 6.2.20 LF Projects' Valkey versions affected by CVE-2025-49844

Description Redis is an open-source, in-memory database that persists on disk. A critical vulnerability (CVE-2025-49844), dubbed RediShell, exists due to a use-after-free memory corruption bug in the Lua scripting engine. This flaw allows an authenticated attacker to craft a malicious Lua script, escape the Lua sandbox, and execute arbitrary code on the host system. Approximately 330,000 Redis instances are exposed to the internet, with around 60,000 lacking authentication, increasing the risk of exploitation. The vulnerability has existed for 13 years and carries a CVSS score of 10.0. Successful exploitation can lead to full system takeover, data theft, and the deployment of malware. A proof-of-concept exploit is publicly available.

Recommendations Upgrade Redis to version 8.2.2 or later. Upgrade Redis to version 8.0.4 or later. Upgrade Redis to version 7.4.6 or later. Upgrade Redis to version 7.2.11 or later. Upgrade Redis to version 6.2.20 or later. If upgrading is not immediately possible, restrict the use of the EVAL and EVALSHA commands via Access Control Lists (ACLs). Disable Lua scripting if it is not required. Ensure Redis instances have strong authentication enabled. Restrict network access to Redis instances to trusted hosts. Run Redis with a non-privileged user account.