Oct 07, 2025Ravie LakshmananVulnerability / Cloud Safety
Redis has disclosed particulars of a maximum-severity safety flaw in its in-memory database software program that would end in distant code execution below sure circumstances.
The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS rating of 10.0.
“An authenticated person could use a specifically crafted Lua script to govern the rubbish collector, set off a use-after-free, and doubtlessly result in distant code execution,” in accordance with a GitHub advisory for the difficulty. “The issue exists in all variations of Redis with Lua scripting.”
Nonetheless, for exploitation to achieve success, it requires an attacker to first achieve authenticated entry to a Redis occasion, making it essential that customers do not go away their Redis situations uncovered to the web and safe them with robust authentication.
The difficulty impacts all variations of Redis. It has been addressed in variations 6.2.20, 7.2.11, 7.4.6, 8.0.4, and eight.2.2 launched on October 3, 2025.
As non permanent workarounds till a patch might be utilized, it is suggested to stop customers from executing Lua scripts by setting an entry management listing (ACL) to limit EVAL and EVALSHA instructions. It is also essential that solely trusted identities can run Lua scripts or another doubtlessly dangerous instructions.
Cloud safety firm Wiz, which found and reported the flaw to Redis on Could 16, 2025, described it as a use-after-free (UAF) reminiscence corruption bug that has existed within the Redis supply code for about 13 years.
It primarily permits an attacker to ship a malicious Lua script that results in arbitrary code execution outdoors of the Redis Lua interpreter sandbox, granting them unauthorized entry to the underlying host. In a hypothetical assault state of affairs, it may be leveraged to steal credentials, drop malware, exfiltrate delicate knowledge, or pivot to different cloud providers.
“This flaw permits a put up auth attacker to ship a specifically crafted malicious Lua script (a characteristic supported by default in Redis) to flee from the Lua sandbox and obtain arbitrary native code execution on the Redis host,” Wiz stated. “This grants an attacker full entry to the host system, enabling them to exfiltrate, wipe, or encrypt delicate knowledge, hijack sources, and facilitate lateral motion inside cloud environments.”
Whereas there is no such thing as a proof that the vulnerability was ever exploited within the wild, Redis situations are a profitable goal for menace actors seeking to conduct cryptojacking assaults and enlist them in a botnet. As of writing, there are about 330,000 Redis situations uncovered to the web, out of which about 60,000 of them lack any authentication.
“With a whole bunch of hundreds of uncovered situations worldwide, this vulnerability poses a major menace to organizations throughout all industries,” Wiz stated. “The mix of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an pressing want for quick remediation.”
