Authenticated access and the ability to run Lua scripts is required to exploit this vulnerability. However, all affected instances without authentication configured are vulnerable. Further details from the Redis team can be found here.
AI description
Automated description summarized from trusted sources.
CVE-2025-49844 is a vulnerability in Redis that stems from improper memory management within its embedded Lua interpreter. The core issue is a use-after-free bug that can be triggered via a specially crafted Lua script. An authenticated user can manipulate the garbage collection process, exploiting freed memory pointers to potentially execute arbitrary code within the Redis server's process. This vulnerability exists in all Redis versions that include Lua scripting support. Redis has released patches to address this vulnerability. For more information on remediation, see the security advisory from Redis.
- Description
- Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- redis
CVSS 3.1
- Type
- Primary
- Base score
- 9.9
- Impact score
- 6
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-416
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
57
New zero-day “RediShell” (CVE-2025-49844) in Redis allows Lua-based remote code execution on exposed or authenticated instances. Attackers could break out of sandbox, gain host-level control & move laterally. Patch now, disable Lua if unused. Read now: https://t.co/VIRY
@securitydailyr
8 Oct 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Redisの深刻な脆弱性CVE-2025-49844に注意コード実行の危険性 https://t.co/a5DznNFUX1 #Security #セキュリティー #ニュース
@SecureShield_
8 Oct 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Redisに危険性の高いクリティカルな脆弱性(CVE-2025-49844)-現実的に悪用される可能性 https://t.co/0Laq32P2oP #セキュリティ対策Lab #セキュリティ #Security
@securityLab_jp
8 Oct 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Urgent: A 13-year-old Redis RCE flaw (RediShell, CVE-2025-49844) can give attackers full host access, patch Redis, review exposure and logs. More details: https://t.co/AAAh0aisId #CyberSecurity #Redis #VulnerabilityManagement https://t.co/2L7tlLS5lM
@sctocs25
7 Oct 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en Redis ❗CVE-2025-49844 ➡️Más info: https://t.co/H5yDxMY6FB https://t.co/T0AvsXp6n1
@CERTpy
7 Oct 2025
90 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-49844 : RediShell exploit https://t.co/U0gJSIH4lM https://t.co/kKplsUaHzU
@freedomhack101
7 Oct 2025
131 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
I would've reversed the order of recommendations by Wiz on their RediShell CVE-2025-49844 blog post. Network controls are easier & quicker to apply and involve no downtime; than changing server & client side configs. Even allowing all known IP ranges of your apps' service
@new23d
7 Oct 2025
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-49844 (RediShell) is a CVSS 10.0 flaw in Redis affecting all versions with Lua scripting. Authenticated attackers can exploit it to escape the Lua sandbox and execute arbitrary code on the host. Patched in: 6.2.20, 7.2.11, 7.4.6, 8.0.4, 8.2.2 Apply updates immediately
@CloneSystemsInc
7 Oct 2025
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Redis vuln (CVE-2025-49844, CVSS 10.0) RediShell! Use-After-Free in Lua interpreter allows RCE. Patch to Redis 8.2.2, 8.0.4, 7.4.6, or 7.2.11 NOW! Details: https://t.co/B0x5qfcORM Secure your webhooks with @requestbin! Got Redis security tips? Share below! 👇
@RequestbinNet
7 Oct 2025
96 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨13-Year-Old Redis Flaw Exposed: CVSS 10.0 Vulnerability Lets Attackers Run Code Remotely CVE-2025-49844 “RediShell” is a 13-year-old UAF bug in Redis Lua scripting (CVSS 10.0) that allows authenticated RCE via crafted Lua to escape the sandbox and access the host. All
@H4ckmanac
7 Oct 2025
4307 Impressions
4 Retweets
14 Likes
6 Bookmarks
0 Replies
1 Quote
Jo @github, fix your #CVSS calculator (CVE-2025-49844) https://t.co/UYnYSsip2F
@rtfmkiesel
7 Oct 2025
86 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Redis CVE-2025-49844: Use-After-Free may lead to remote code execution #HackerNews https://t.co/wdsMIODzCC https://t.co/bGpEQOON3u
@hackernewstop5
7 Oct 2025
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Redis advierte de un fallo crítico que afecta a miles de instancias ⚠️ CVE-2025-49844 es causada por una debilidad de uso después de la liberación (use-after-free) de 13 años utilizando un script Lua https://t.co/0u0iroXcCp https://t.co/JdVGLcSKtW
@elhackernet
7 Oct 2025
3927 Impressions
7 Retweets
21 Likes
3 Bookmarks
0 Replies
0 Quotes
Critical Redis flaw (CVSS 10.0) found after 13 years! CVE-2025-49844 (RediShell) enables RCE for authenticated users. Patch now! 🚨 https://t.co/C77NnxrEt1 #Redis #Vulnerability #RCE
@0xT3chn0m4nc3r
7 Oct 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-49844 requires auth. So technically its not a 10. Unless you don't have auth, or expose it to the internet without restriction, which are already big problems that just got huge. https://t.co/dRvC00Dp9o
@nas_bench
7 Oct 2025
3156 Impressions
4 Retweets
26 Likes
3 Bookmarks
0 Replies
0 Quotes
🚨WARNING: CVE-2025-49844 (RediShell): Redis flaw rated 10.0 CVSS A 13-year-old bug lets attackers escape Lua sandbox and run code on the host. Even worse — 60,000 Redis servers online have no auth. Patch now or risk full system takeover: https://t.co/w97rx3iRS6
@TheHackersNews
7 Oct 2025
24476 Impressions
91 Retweets
274 Likes
68 Bookmarks
9 Replies
9 Quotes
Redis warns of critical flaw impacting thousands of instances (CVE-2025-49844) https://t.co/g4zjCQkBWT #patchmanagement
@eyalestrin
7 Oct 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Redis Security Flaw CVE-2025-49844 Threatens Global Infrastructure https://t.co/lzxSQ9T8mc https://t.co/0OXiiEy8kh
@CybSecWorld
7 Oct 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 New Redis RCE Alert: CVE-2025-49844 https://t.co/QNEYp4BLYA Wiz Research uncovers #RediShell — a critical 13-year-old bug in Redis affecting 75% of cloud environments. 🔓 Exploits Lua scripting to escape sandbox & execute native code 🔥 CVSS 10.0 — full host t
@0x534c
7 Oct 2025
2398 Impressions
10 Retweets
38 Likes
19 Bookmarks
0 Replies
0 Quotes
🛑 Faille Redis : CVE-2025-49844 💥 Bien qu'un accès authentifié soit nécessaire, Wiz estime qu'au moins 60 000 instances exposées sur Internet sont accessibles sans auth. 🧷 + d'infos : https://t.co/WG387aO4j5 #Redis #infosec #cybersecurity https://t.co/CZj91zPfXc
@ITConnect_fr
7 Oct 2025
514 Impressions
4 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
📰 Criminal IP サイバーニュース!10月7日版 最近起きた世界の事件をまとめてチェック✅ 🍺 #アサヒ グループHD、#ランサムウェア 攻撃被害を公表 一部サーバーで情報漏えいの痕跡を確認。
@CriminalIP_JP
7 Oct 2025
82 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Redisの深刻な脆弱性が数千のインスタンスに影響を与える(CVE-2025-49844) https://t.co/OXVSbCVkAP #Security #セキュリティー #ニュース
@SecureShield_
7 Oct 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
RediShell CVE-2025-49844 is a perfect example of why you want exploit payload mitigation vs just tracking vulns; you can run totally vulnerable versions of this and nothing in the whitebox works when deployed as a nanos unikernel - you don't need to make it so easy for the 14yos
@nanovms
7 Oct 2025
307 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
💥 Wiz Research has uncovered a critical Redis vulnerability that's been hiding for 13 years We found RediShell (CVE-2025-49844): an RCE bug in Redis that affects every version of Redis out there. It's rated CVSS 10 - the highest severity possible. The vulnerability lets http
@wiz_io
6 Oct 2025
58705 Impressions
123 Retweets
394 Likes
167 Bookmarks
6 Replies
17 Quotes
Warning: CVE-2025-49844 with a score of 9.9, affecting recent versions of #Redis, could result in unauthenticated #RCE! To protect your databases, read more at https://t.co/QJeGipeqxB and #Patch #Patch #Patch
@CCBalert
6 Oct 2025
360 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
RedisにCVSSスコア10(?)の脆弱性。CVE-2025-49844はLuaにおける解放後メモリ使用。要認証で、細工されたLuaスクリプトの実行が条件。GitHub AdvisoryではCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HだがCVSSスコア10(正しい計算
@__kokumoto
6 Oct 2025
1166 Impressions
2 Retweets
9 Likes
2 Bookmarks
0 Replies
0 Quotes
RedisにLua関連の深刻な脆弱性4件が報告され、うちCVE-2025-49844はCVSS 10.0の致命的RCEである。Luaスクリプトのガーベジコレクタ操作によりUse-After-Freeが発生し、任意コード実行が可能になる。
@yousukezan
6 Oct 2025
1796 Impressions
2 Retweets
7 Likes
4 Bookmarks
0 Replies
0 Quotes
PATCH NOW: Critical RCE Flaw (CVE-2025-49844, CVSS 10.0) Exploiting Redis Servers Worldwide Read the full report on - https://t.co/tbKB6EfbaJ https://t.co/NrHlNgvdik
@Iambivash007
6 Oct 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-49844 Redis Lua Scripting Use-After-Free Vulnerability Enables Remote Code Execution https://t.co/64x1jSr13h
@VulmonFeeds
4 Oct 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Redis CVE-2025-49844: Critical RCE Alert A use-after-free flaw in Redis Lua scripting allows unauthenticated RCE. Patch ASAP to protect your deployments. For more details, read ZeroPath's blog on this vuln. #Redis #AppSec #InfoSec https://t.co/o1Bs5XmdLI
@ZeroPathLabs
3 Oct 2025
93 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-49844 Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manip… https://t.co/jwzzdNFc7H
@CVEnew
3 Oct 2025
340 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C2F4D4F6-6F7C-46BC-B37C-DFAC34B097AC",
"versionEndExcluding": "6.2.20"
},
{
"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4F82BD2A-473F-4F3F-9C80-C6448D07C45D",
"versionEndExcluding": "7.2.11",
"versionStartIncluding": "7.0"
},
{
"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F6E336B8-E000-4EFA-95F8-F2B74A4913F0",
"versionEndExcluding": "7.4.6",
"versionStartIncluding": "7.4.0"
},
{
"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "459EBC07-D37A-44E5-95DB-4C3FD9F008FF",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0"
},
{
"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CBF13EC1-FE0A-4242-B8D3-2681485DDDF2",
"versionEndExcluding": "8.2.2",
"versionStartIncluding": "8.2.0"
}
],
"operator": "OR"
}
]
}
]