A critical remote code execution (RCE) vulnerability, identified as CVE-2025-49844 and dubbed RediShell, has been discovered in Redis, a widely used in-memory data store. This flaw, present in the Redis codebase for approximately 13 years, allows authenticated attackers to execute arbitrary code on the host system, potentially leading to full system compromise.
Understanding the Vulnerability
The RediShell vulnerability stems from a Use-After-Free (UAF) memory corruption issue within Redis’s Lua scripting engine. By sending a specially crafted Lua script, an attacker can manipulate the server’s garbage collector, causing the application to access memory after it has been freed. This manipulation enables the attacker to escape the Lua sandbox and execute arbitrary native code on the Redis host. The flaw has been assigned the highest possible CVSS severity score of 10.0, indicating its critical nature. ([wiz.io](https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844?utm_source=openai))
Scope and Impact
Redis is utilized in an estimated 75% of cloud environments for caching, session management, and messaging. The widespread use of Redis amplifies the potential impact of this vulnerability. An analysis by Wiz Research revealed approximately 330,000 Redis instances exposed to the internet, with about 60,000 lacking authentication. This configuration allows unauthenticated attackers to send malicious Lua scripts and execute code within the environment. ([wiz.io](https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844?utm_source=openai))
The attack flow begins with the attacker sending a malicious Lua script to the vulnerable Redis instance. After exploiting the UAF bug to escape the sandbox, the attacker can establish a reverse shell for persistent access. This access enables the attacker to steal credentials, install malware, and exfiltrate sensitive data from both Redis and the host machine. ([wiz.io](https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844?utm_source=openai))
Mitigation Measures
On October 3, 2025, Redis released a security advisory and patched versions to address CVE-2025-49844. All Redis users are strongly urged to upgrade their instances immediately, prioritizing those that are internet-exposed or lack authentication. ([wiz.io](https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844?utm_source=openai))
In addition to patching, organizations should implement security hardening best practices, including:
– Enabling strong authentication mechanisms.
– Disabling Lua scripting if it is not required.
– Running Redis with a non-root user account with minimal privileges.
– Implementing network-level access controls, such as firewalls and Virtual Private Clouds (VPCs), to restrict access to authorized networks only.
Conclusion
The discovery of the RediShell vulnerability underscores the importance of regular security assessments and prompt patching in widely used software. Organizations utilizing Redis should take immediate action to secure their systems against potential exploitation.
