How does the Redis CVE-2025-49844 vulnerability work?

The vulnerability is caused by improper memory management within Redis's Lua scripting engine. By crafting malicious Lua scripts that exploit garbage collection timing, authenticated users can manipulate the garbage collector to trigger a use-after-free condition, gain control over freed memory regions, and execute arbitrary code with the privileges of the Redis server process.

How long has the Redis vulnerability existed?

The vulnerability has existed in Redis since Lua scripting functionality was introduced, affecting all versions with Lua scripting support across the 6.x, 7.x, and 8.x branches.

What is the patched version of Redis for CVE-2025-49844?

Redis has released security patches in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2. Organizations should upgrade to the patched release corresponding to their deployment branch.

Does CVE-2025-49844 require authentication?

Yes, CVE-2025-49844 allows authenticated users to execute arbitrary code on Redis servers through malicious Lua scripts. However, once authenticated, attackers can achieve complete system compromise.

Is Redis Cloud affected by CVE-2025-49844?

Redis Cloud managed services have already been upgraded with the security fixes for CVE-2025-49844. However, self-hosted Redis installations need to be manually updated.

What is a use-after-free vulnerability?

CVE-2025-49844 is a use-after-free vulnerability caused by improper memory management within Redis's Lua scripting engine. In this type of vulnerability, attackers can manipulate the garbage collector to access memory after it has been freed, allowing them to gain control over freed memory regions and execute arbitrary code.

What commands should be restricted to prevent exploitation of CVE-2025-49844?

Organizations should implement Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands, which are used to execute Lua scripts. This effectively prevents users from executing Lua scripts until patches can be deployed.

What is the severity score of CVE-2025-49844?

CVE-2025-49844 has been assigned the maximum CVSS score of 10.0, indicating a critical vulnerability that allows authenticated users to execute arbitrary code and potentially achieve complete system compromise.

Advisory

Critical Lua scripting flaw enables remote code execution in Redis server

Q: What is CVE-2025-49844?

CVE-2025-49844 has a CVSS score of 10.0 and is a use-after-free vulnerability caused by improper memory management within Redis's Lua scripting engine. Attackers can manipulate the garbage collector to trigger a use-after-free condition. By crafting malicious Lua scripts that exploit garbage collection timing, authenticated users can gain control over freed memory regions and execute arbitrary code with the privileges of the Redis server process.

published: Oct. 6, 2025

Take action: If you're running Redis with Lua scripting enabled, update immediately to the latest patched version (6.2.20, 7.2.11, 7.4.6, 8.0.4, or 8.2.2). If you can't patch right away, use Access Control Lists (ACLs) to block the EVAL and EVALSHA commands, or disable Lua scripting entirely until you can update.

Learn More

Redis is reporting a critical security vulnerability affecting all versions of its popular open-source in-memory database that support Lua scripting functionality.

The flaw is tracked as CVE-2025-49844 (CVSS score 10.0), a use-after-free vulnerability caused by improper memory management within Redis's Lua scripting engine, where attackers can manipulate the garbage collector to trigger a use-after-free condition. By crafting malicious Lua scripts that exploit garbage collection timing, authenticated users can gain control over freed memory regions and execute arbitrary code with the privileges of the Redis server process.

The vulnerability allows authenticated users to execute arbitrary code on Redis servers through malicious Lua scripts, potentially leading to complete system compromise, unauthorized data access, and lateral movement across networks.

Affected versions of Redis include all releases with Lua scripting support. That inlcudes Redis versions 8.2.1 and below, as well as all versions across the 6.x and 7.x branches. The vulnerability has existed in Redis since Lua scripting functionality was introduced.

Redis has released security patches in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2. Redis administrators can verify their current installation version using the command redis-cli INFO SERVER | grep redis_version.

Organizations using any Redis version with Lua scripting capabilities should upgrade immediately to one of these patched releases corresponding to their deployment branch. Redis Cloud managed services have already been upgraded with the fixes.

For organizations unable to immediately upgrade, Redis suggests implementing Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands, effectively preventing users from executing Lua scripts. Where Lua scripting is non-essential to operations, disabling it entirely will eliminate the attack vector until patches can be deployed.

Redis has advised administrators to monitor for potential indicators of compromise, including unexplained Redis server crashes with stack traces originating from the Lua engine, unknown or anomalous command execution by the redis-server user, suspicious network egress traffic from Redis databases, and unauthorized changes to the file system, particularly in directories hosting Redis persistent or configuration files.

Critical Lua scripting flaw enables remote code execution in Redis server

Read More
Supermicro Management Controllers expose servers to XSS exploits
Critical authentication bypass flaw reported in AI coding …
CISA warns of critical Oracle flaw actively exploited
Anthropic Patched Remote Code Execution and API Theft …
Critical session management vulnerability reported in Apache Roller