A critical security vulnerability has been discovered in Redis Server that could allow authenticated attackers to achieve remote code execution through a use-after-free flaw in the Lua scripting engine.
The vulnerability, tracked as CVE-2025-49844, affects all versions of Redis that support Lua scripting functionality.
Critical Memory Corruption Flaw Discovered
Security researchers from Wiz, including Benny Isaacs, Nir Brakha, and Sagi Tzadik working with Trend Micro’s Zero Day Initiative, identified this severe vulnerability that exploits Redis’s garbage collection mechanism.
The flaw allows authenticated users to craft malicious Lua scripts that manipulate the garbage collector, triggering a use-after-free condition that can lead to arbitrary code execution on the target system.
| Field | Value |
| CVE ID | CVE-2025-49844 |
| Vulnerability Type | Use-After-Free (CWE-416) |
| Impact | Remote Code Execution |
| CVSS 3.1 Score | 10.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) |
| Severity | Critical |
The vulnerability stems from improper memory management in Redis’s Lua scripting implementation, where memory references can persist after the garbage collector has freed the underlying memory structures.
This creates a dangerous condition where attackers can potentially control freed memory regions and execute arbitrary code with the privileges of the Redis server process.
The vulnerability presents significant risks to organizations running Redis deployments, particularly those allowing authenticated users to execute Lua scripts.
Attackers with valid Redis credentials can exploit this flaw remotely over network connections without requiring additional user interaction or elevated privileges on the target system.
The attack complexity is rated as low, meaning exploitation techniques are likely to be straightforward once the vulnerability details become widely known.
The changed scope rating indicates that successful exploitation could impact resources beyond the Redis server itself, potentially affecting other systems or data within the same security boundary.
While patches are still under development (marked as “TBD”), Redis administrators can implement immediate protective measures.
The primary workaround involves using Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands, effectively preventing users from executing Lua scripts altogether.
This mitigation strategy eliminates the attack vector while maintaining other Redis functionality.
Organizations should review their Redis configurations to identify instances where Lua scripting is enabled and assess whether this functionality is essential for their operations.
Those who can disable Lua scripting should implement ACL restrictions immediately as a temporary security measure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
