Redis has disclosed particulars of a maximum-severity security flaw in its in-memory database software program that might end in distant code execution below sure circumstances.
The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS rating of 10.0.
“An authenticated person might use a specifically crafted Lua script to govern the rubbish collector, set off a use-after-free, and probably result in distant code execution,” based on a GitHub advisory for the difficulty. “The issue exists in all variations of Redis with Lua scripting.”
Nevertheless, for exploitation to achieve success, it requires an attacker to first achieve authenticated entry to a Redis occasion, making it essential that customers do not depart their Redis cases uncovered to the web and safe them with sturdy authentication.
The difficulty impacts all variations of Redis. It has been addressed in variations 6.2.20, 7.2.11, 7.4.6, 8.0.4, and eight.2.2 launched on October 3, 2025.
As non permanent workarounds till a patch may be utilized, it is suggested to forestall customers from executing Lua scripts by setting an entry management listing (ACL) to limit EVAL and EVALSHA instructions. It is also essential that solely trusted identities can run Lua scripts or every other probably dangerous instructions.
Cloud security firm Wiz, which found and reported the flaw to Redis on Could 16, 2025, described it as a use-after-free (UAF) reminiscence corruption bug that has existed within the Redis supply code for about 13 years.
It primarily permits an attacker to ship a malicious Lua script that results in arbitrary code execution outdoors of the Redis Lua interpreter sandbox, granting them unauthorized entry to the underlying host. In a hypothetical assault state of affairs, it may be leveraged to steal credentials, drop malware, exfiltrate delicate information, or pivot to different cloud companies.
“This flaw permits a publish auth attacker to ship a specifically crafted malicious Lua script (a function supported by default in Redis) to flee from the Lua sandbox and obtain arbitrary native code execution on the Redis host,” Wiz stated. “This grants an attacker full entry to the host system, enabling them to exfiltrate, wipe, or encrypt delicate information, hijack assets, and facilitate lateral motion inside cloud environments.”
Whereas there is no such thing as a proof that the vulnerability was ever exploited within the wild, Redis cases are a profitable goal for risk actors seeking to conduct cryptojacking assaults and enlist them in a botnet. As of writing, there are about 330,000 Redis cases uncovered to the web, out of which about 60,000 of them lack any authentication.
“With a whole lot of hundreds of uncovered cases worldwide, this vulnerability poses a big risk to organizations throughout all industries,” Wiz stated. “The mixture of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an pressing want for fast remediation.”
