A critical use-after-free vulnerability, identified as CVE-2025-49844, has been discovered in Redis servers, enabling authenticated attackers to achieve remote code execution.
This high-severity flaw affects all versions of Redis that utilize the Lua scripting engine, presenting a significant threat to a wide range of deployments that rely on the popular in-memory data store.
The core of the issue lies in how Redis handles memory management within its Lua scripting component. An authenticated user with permissions to run Lua scripts can craft a malicious script to manipulate the server’s garbage collector.
This manipulation triggers a use-after-free condition, a memory corruption flaw where the application attempts to access memory after it has already been freed.
Vulnerability Details
A skilled attacker can exploit this condition to hijack the application’s execution flow, ultimately leading to the execution of arbitrary code on the server. This provides the attacker with control over the Redis instance and the underlying system.
The potential for remote code execution makes this a critical vulnerability. A successful exploit could allow an attacker to compromise the confidentiality, integrity, and availability of the data stored within the Redis database.
Attackers could steal sensitive information, modify or delete records, or cause a denial-of-service condition. Furthermore, a compromised Redis server can serve as a foothold for attackers to move laterally across a network, escalating their privileges and targeting other internal systems.
The flaw’s impact is widespread, as it affects all Redis versions that support Lua scripting, a feature that has been integral to the platform for many years.
CVE ID | Affected Product(s) | Impact | Exploit Prerequisites | CVSS 3.1 Score |
---|---|---|---|---|
CVE-2025-49844 | All Redis versions with Lua scripting | Remote Code Execution | Authenticated access with permissions to execute Lua scripts | To be determined |
Mitigations
While organizations await a formal security patch, a robust workaround is available to mitigate the risk. Administrators are strongly advised to prevent users from executing Lua scripts, which is the primary attack vector.
This can be implemented by modifying Redis Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands. By blocking these commands, any attempt to run a malicious script will be denied, effectively neutralizing the threat.
This workaround provides an immediate defense without needing to update the redis-server
executable and should be prioritized for all production environments.
The issue was responsibly disclosed by researchers Benny Isaacs, Nir Brakha, and Sagi Tzadik of Wiz, who collaborated with Trend Micro’s Zero Day Initiative.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.