CVE-2025-49844

Published Oct 3, 2025

Last updated 25 days ago

CVSS critical 9.9
Redis

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-49844 is a vulnerability in Redis that stems from improper memory management within its embedded Lua interpreter. The core issue is a use-after-free bug that can be triggered via a specially crafted Lua script. An authenticated user can manipulate the garbage collection process, exploiting freed memory pointers to potentially execute arbitrary code within the Redis server's process. This vulnerability exists in all Redis versions that include Lua scripting support. Redis has released patches to address this vulnerability. For more information on remediation, see the security advisory from Redis.

Description
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Source
security-advisories@github.com
NVD status
Analyzed
Products
redis, valkey

Insights

Analysis from the Intruder Security Team
Published Oct 7, 2025

Authenticated access and the ability to run Lua scripts is required to exploit this vulnerability. However, all affected instances without authentication configured are vulnerable. Further details from the Redis team can be found here.

Risk scores

CVSS 3.1

Type
Primary
Base score
9.9
Impact score
6
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-416

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

16

  1. 🔴 RediShell (CVE-2025-49844) RCE crítica (CVSS 10.0) decubierta tras 13 años. Todavía hay +8500 instancias expuestas, asegura que ninguna es la tuya ;) 👉Más info: https://t.co/Hk9BaJWxoJ https://t.co/vqs4UZhtSP

    @rootedcon

    10 Nov 2025

    742 Impressions

    4 Retweets

    6 Likes

    1 Bookmark

    1 Reply

    1 Quote

  2. Actively exploited CVE : CVE-2025-49844

    @transilienceai

    10 Nov 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Redis の深刻な脆弱性 RediShell CVE-2025-49844 が FIX:Lua サンドボックス回避によるホスト侵害の可能性 https://t.co/Zi92pSe7sH Redis の Lua エンジンに存在する use-after-free 型のメモリ破損と、Lua の実行機能である EVAL

    @iototsecnews

    10 Nov 2025

    97 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Descubren vulnerabilidad crítica de ejecución remota de código en Redis tras 13 años ⚠️ CVE-2025-49844 https://t.co/jTnFIup9n3

    @elhackernet

    9 Nov 2025

    6635 Impressions

    23 Retweets

    100 Likes

    18 Bookmarks

    2 Replies

    1 Quote

  5. 🌐 🚨 DEVELOPING: RediShell (CVE-2025-49844) — Redis Lua engine enables host-level RCE; 8,500+ Redis instances exposed worldwide. Disclosed by Wiz. https://t.co/mtpowLdfRw #cyber #infosec #OSINT

    @STRATINT_AI

    30 Oct 2025

    3898 Impressions

    7 Retweets

    46 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🔴 RediShell RCE: 8,500 Vulnerable Redis Instances Exposed (CVE-2025-49844) Redis patched a use-after-free in Lua scripting engine enabling sandbox escape and host-level RCE. CVSS 10.0. Criminal IP found 8,500 unpatched instances globally (many flagged Dangerous/Critical). Th

    @the_c_protocol

    30 Oct 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Vulnérabilité RediShell | CVE-2025-49844 - Stormshield https://t.co/2t5WRNh5Q2 #PreventionInternet #Cybersécurité

    @Prevention_web

    30 Oct 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Critical RediShell RCE Threatens 8,500+ Redis Servers Worldwide A critical Redis Lua scripting vulnerability, CVE-2025-49844, exposes over 8,500 deployments worldwide to remote code execution. Disclosed by Wiz in October 2025, it involves a use-after-free memory corruption that

    @Secwiserapp

    30 Oct 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 Security Advisory — #RediShell RCE (CVE-2025-49844) 🚨​ The RediShell #RCE is a critical use-after-free flaw in Redis's Lua engine enabling host-level Remote Code Execution (RCE).​ ☑️59,000+ exposed Redis instances detected​ ☑️8,500 unpatched Redis instanc

    @CriminalIP_US

    30 Oct 2025

    1006 Impressions

    3 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 💥 #RediShell (CVE-2025-49844) パッチ未適用の状況と対応推奨​ Redis の Lua エンジン脆弱性を悪用するリモートコード実行(RCE)攻撃が活発に観測されています。​ Criminal IP Search の確認では、インターネットに公

    @CriminalIP_JP

    30 Oct 2025

    98 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. 💥 #RediShell (CVE-2025-49844) 패지 지연 안내 및 권고 ​ Redis의 Lua 엔진 취약점을 악용한 원격 코드 실행(RCE) 공격이 활발히 관찰되고 있습니다. ​ ​ Criminal IP Search로 확인한 결과, 인터넷에 노출된 Redis 인스턴스 59,75

    @CriminalIP_KR

    30 Oct 2025

    75 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  12. The "RediShell" RCE vulnerability (CVE-2025-49844) poses a critical risk to over 8,500 exposed Redis instances, urging users to apply patches and enable authentication immediately to prevent remote code execution threats. #RediShell #CVE202549844 https://t.co/4JhPTasppN

    @Cyber_O51NT

    30 Oct 2025

    1984 Impressions

    13 Retweets

    17 Likes

    7 Bookmarks

    2 Replies

    0 Quotes

  13. [1day1line] CVE-2025-49844: RCE Vulnerability in Redis Caused by Use After Free via Lua Script https://t.co/z0PZdAz4eh Today's 1day1line: CVE-2025-49844, a Use After Free RCE vulnerability discovered in Redis. The vulnerability is caused by unpinned chunks accessed via Lua

    @hackyboiz

    29 Oct 2025

    2916 Impressions

    11 Retweets

    39 Likes

    19 Bookmarks

    0 Replies

    0 Quotes

  14. 🚨CVE-2025-49844: Redis Lua Use-After-Free may lead to remote code execution Exploit: https://t.co/oQTTzuI5nb Advisory: https://t.co/yXmGPpm1bJ CVSS: 10 FOFA Link: https://t.co/Sq4ZLUbS7m FOFA Query: app="redis" Results: 1,977,550 https://t.co/MU0an8ebyH

    @DarkWebInformer

    28 Oct 2025

    9867 Impressions

    29 Retweets

    81 Likes

    35 Bookmarks

    0 Replies

    0 Quotes

  15. New issue of DevOpsLinks is out! 🚨 Redis CVE-2025-49844 (CVSS 10), 🪝 Git pre-commit + 🧬 SHA-256/3.0, ☁️ MCP on ACA, 🛡️ AI in DevSecOps, 🚫 blocking 26M curl reqs, 🏛️ Shopify 30TB/min monolith, 🐧 Linux 6.18 RC1, 💸 Hetzner -76%. Read: https://t.co/e5

    @_FAUNDOL_

    21 Oct 2025

    33 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 RediShell [Critical] Oct 21, 2025 This report analyzes the RediShell vulnerability (CVE-2025-49844), a critical remote code execution flaw affecting Redis servers. The vulnerability, stemming from a use-after-free condition in Redis's Lua scripting engine, allows attackers..

    @transilienceai

    21 Oct 2025

    100 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  17. Redis 7.4.5 Lua の脆弱性 CVE-2025-49844/46817/46818:PoC が提供される https://t.co/ECyawJKXZa Redis 7.4.5 に存在する3つの脆弱性の悪用手法が、明瞭に解説されています。Lua パーサーでの新規 TString をスタックの保護の欠

    @iototsecnews

    20 Oct 2025

    100 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. We implemented an exploit for RediShell (CVE-2025-49844). While doing so, we discovered that the publicly available PoC incorrectly uses loadstring to trigger the Redis UAF. Kudos to @wiz_io for the interesting findings! https://t.co/o525HxQfzB

    @DarkNavyOrg

    19 Oct 2025

    15348 Impressions

    50 Retweets

    231 Likes

    83 Bookmarks

    0 Replies

    0 Quotes

  19. In our latest insights, we dive into CVE-2025-49844 (RediShell), a critical RCE vulnerability affecting Redis data stores. Read more: https://t.co/VNAppZyMWX https://t.co/e5TEExHva6

    @Harborcoattech

    18 Oct 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🧨 A 13-year-old software flaw in Redis just blew open serious risk: CVE-2025-49844 (aka “RediShell”) allows remote code execution via Lua scripts. (The Hacker News, 2025) Yes, old software still lives, and attackers love that. Why this matters to you: • If your site or

    @BGMloop

    16 Oct 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  21. 🚨 KeyDB RCE via Lua — CVE-2025-49844! Attackers can run code remotely via Lua scripting. Update to patched versions NOW or disable/restrict Lua, isolate KeyDB, tighten ACLs, rotate creds, and monitor logs. 🔍 https://t.co/2VFuAYlmkC https://t.co/qNk2g54lex

    @vulert_official

    16 Oct 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🚨 KeyDB RCE via Lua — CVE-2025-49844! Attackers can run code remotely through Lua scripting. Update to the patched versions NOW or disable/restrict Lua, isolate KeyDB, and tighten ACLs. 🔍https://t.co/2VFuAYlmkC https://t.co/6nTqugX1ne

    @vulert_official

    16 Oct 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. 🔴 Redis expone una vulnerabilidad crítica de 13 años (CVE-2025-49844, CVSS 10.0). Afecta todas las versiones con soporte de scripts Lua. Un atacante puede ejecutar código remoto manipulando el entorno de ejecución de Lua. https://t.co/KuLppgUArL

    @henryraul

    15 Oct 2025

    95 Impressions

    9 Retweets

    8 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  24. Moohoo! Update 2025-10 has just been released: https://t.co/KYdeeGOT7u This update addresses the critical CVE-2025-49844 affecting @Redisinc. While the exploit was not exposed in mailcow environments, updating is still strongly recommended.

    @mailcow_email

    15 Oct 2025

    464 Impressions

    2 Retweets

    11 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  25. 🔴 Redis just patched CVE-2025-49844, a critical use-after-free RCE in the default-enabled Lua engine affecting all versions. Authenticated exploits enable sandbox escape and full host compromise—reverse shells, credential theft, lateral movement, malware deployment. What's

    @the_c_protocol

    14 Oct 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. redis cve-2025-49844 https://t.co/F9bb6qbQGD https://t.co/Flk0jANP2y https://t.co/7uW5cEUYZZ

    @isValidUserId

    14 Oct 2025

    218 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. CVSS 10.0: Kritikus RediShell-sebezhetőség veszélyezteti a felhőkörnyezetek többségét A Wiz Research kutatói egy rendkívül súlyos, távoli kódfuttatást lehetővé tevő sérülékenységet (CVE-2025-49844) azonosítottak a széles körben használt Redis adatbázis

    @linuxmint_hun

    13 Oct 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. CVE-2025-49844 https://t.co/DvR8Fcjq7C https://t.co/E7aniUVA9E

    @SecAlertsCo

    13 Oct 2025

    64 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score Wiz Research discovers vulnerability stemming from 13-year-old bug present in all Redis versions, used in 75% of cloud environments. https://t.co/BKC07zsril #security #redis

    @jvela

    13 Oct 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. lol did bitnami just drop all of its images that were vulnerable to CVE-2025-49844? Nice

    @xoxodeadbeef

    12 Oct 2025

    71 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  31. さくらのクラウドからもRediShellの注意喚起。さくらのクラウドはパケットフィルタ機能の設定が結構難しく、きちんと設定できてないことがあるので特に要注意ではある。 / “【重要】Redis「RediShell(CVE-2025-49

    @matsuu

    12 Oct 2025

    2516 Impressions

    5 Retweets

    14 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  32. 🚨 CVE-2025-49844 - critical 🚨 Redis Lua Parser < 8.2.2 - Use After Free > Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and... 👾 https://t.co/tVI8G3mmcN @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    12 Oct 2025

    241 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. 🚨 CRITICAL ALERT: Patch Your Redis INSTANCES NOW! 🚨 ​A severe Remote Code Execution (RCE) vulnerability, dubbed RediShell (CVE-2025-49844), has been uncovered in Redis, scoring the maximum possible CVSS 10.0. This flaw affects every version of Redis with Lua scripting rel

    @YahyaToubali

    11 Oct 2025

    127 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  34. There's a particularly bad Redis vuln that didn't get much fanfare this past week, CVE-2025-49844,https://t.co/U3lEqdznaa. Approximately 55k vulnerable right now. https://t.co/NtqfvcwPcu https://t.co/I04EBPm9wS

    @schwartzonsec

    11 Oct 2025

    179 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  35. RediShell (CVE-2025-49844) Vulnerability-Scanner https://t.co/2n15hoKlTT #vulnerability

    @d4rk_c0r3

    11 Oct 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🚨 Critical RCE Vulnerability in Redis (CVE-2025-49844). Please see the @ncsc_gov_ie for more info: https://t.co/SFg3eDYDmc

    @ncsc_gov_ie

    10 Oct 2025

    79 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. تم إصدار تصحيحات لثغرة حرجة في Redis تتيح للمهاجمين الوصول الكامل لنظام الاستضافة. تُعرف هذه الثغرة باسم CVE-2025-49844، وتسمح بتشغيل سكربتات Lua ضارة. وجود Redis بدون

    @Cybereayn

    10 Oct 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 🚨🚨CVE-2025-49844 (CVSS 10): Redis Lua RCE Authenticated attackers can exploit a Lua script to trigger a use-after-free, enabling RCE. Affects all Lua-enabled Redis versions. 🔥PoC: https://t.co/OvL4Y7xcqc Search by vul.cve Filter👉vul.cve="CVE-2025-49844" ZoomEye http

    @zoomeye_team

    10 Oct 2025

    3726 Impressions

    25 Retweets

    76 Likes

    24 Bookmarks

    2 Replies

    0 Quotes

  39. Redis RCE Vulnerability (CVE-2025-49844, CVSS 10.0,💥 This in-memory database flaw allows remote code execution via Lua sandbox escape, targeting exposed instances for cryptojacking and botnets. Immediately update Redis and enable authentication. #RedisSecurity #PatchManageme

    @CyberWolfGuard

    9 Oct 2025

    67 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  40. (1/4) 🚨CVE-2025-49844: Redis Lua Parser UAF → RCE Root cause: luaY_parser() fails to anchor TString objects on Lua stack before lexer invocation. GC can free chunk-name string while parser holds dangling reference. 330K exposed instances. 60K unauthenticated. A thread!

    @hackcubes

    9 Oct 2025

    72 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    1 Reply

    0 Quotes

  41. Cyber threat landscape heats up with critical breaches, vulnerabilities, and scams hitting global targets in the last hour 🚨 Here’s your quick briefing: 🛠️ Redis suffers a critical memory corruption flaw (CVE-2025-49844) allowing authenticated attackers to execute arbi

    @np_cyber_news

    9 Oct 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. 🚨 A 13-year-old flaw in #Redis — CVE-2025-49844 (RediShell) — allows remote code execution (CVSS 10.0)! 👉 https://t.co/WnPR3goq9I #CyberSecurity #RCE #Vulert #CloudSecurity #OpenSource #CVE202549844

    @vulert_official

    9 Oct 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. A practical lab environment for testing and understanding the critical CVE-2025-49844 (RediShell) vulnerability in Redis. https://t.co/Sj1nnNY7k3 https://t.co/MQomcqV4zz

    @ngnicky

    8 Oct 2025

    147 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. Redis eski sürümlerinde CVE-2025-49844 (RediShell) güvenlik açığı keşfedilmiş. Bu zafiyet 13 yıldır farkedilmemiş ve uzaktan kod yürütme sağlıyormuş. Redis sürümü güncel olmayanlar güncellesinler (veya dışarıya kapatıp kimlik doğrulama ayarlasınlar) ht

    @ridvanyagli

    8 Oct 2025

    96 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. 🔥 Curious how we exploited CVE-2025-49844 (RediShell)? From a 2-bit reset to 0-click RCE. Come see me at Hexacon 2025 - Paris, where I’ll share in-depth technical details on the exploitation. See you on Friday 👋 #Redis #Security #RediShell @hexacon_fr https://t.co/WE8Xalz

    @benny_isaacs

    8 Oct 2025

    4205 Impressions

    8 Retweets

    62 Likes

    16 Bookmarks

    0 Replies

    1 Quote

  46. 🚨 CVE-2025-49844 (CVSS 10.0) in Redis could let attackers remotely execute code without authentication — putting critical systems at risk. ✅ Patch now or block EVAL/EVALSHA as a workaround. 🛡️ Tanium helps you find & fix vulnerable endpoints fast. 👉 https://t

    @Tanium

    8 Oct 2025

    351 Impressions

    1 Retweet

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. New Post: Vulnerabilidad crítica de 13 años en Redis permite ejecución remota de código (CVE-2025-49844) https://t.co/D6UpWmMTG7

    @hualkana

    8 Oct 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. Se reporta una vulnerabilidad crítica (CVE-2025-49844) en Redis ≤8.2.1 que permite ejecución remota de código (RCE) mediante un use-after-free en el parser de Lua. El fallo afecta todas las versiones con scripting Lua y ha sido calificado con una severidad de 9.9 (CRITICAL).

    @tpx_Security

    8 Oct 2025

    91 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. Kritická zranitelnost CVE-2025-49844 v Redisu https://t.co/F1UUB1b7e7

    @abclinuxu

    8 Oct 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. Whoa, PoC exploits just dropped for 3 critical Lua engine RCEs (CVE-2025-49844, 46817, 46818). They're live, so patch fast before copycats turn your scripts into hacker playgrounds. 🧨🛡️ Audit Lua apps now. Thoughts? Reply! #CyberSec #Lua #InfoSec https://t.co/gjd7JKDLl6

    @z3nch4n

    8 Oct 2025

    99 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.