A critical security vulnerability has been identified in Redis, the widely-used in-memory database system. This flaw, designated as CVE-2025-49844 and colloquially known as RediShell, has been present in the Redis codebase for approximately 13 years. It carries a maximum severity rating with a CVSS score of 10.0, indicating its potential for significant impact.
Vulnerability Details
The issue resides in Redis’s Lua scripting engine. An authenticated user can craft a specific Lua script to manipulate the garbage collector, leading to a use-after-free scenario. This manipulation can result in remote code execution on the host system. The vulnerability affects all Redis versions that support Lua scripting.
Discovery and Reporting
Cloud security firm Wiz discovered this vulnerability and reported it to Redis on May 16, 2025. Wiz described the flaw as a use-after-free memory corruption bug that has existed in the Redis source code for about 13 years. This vulnerability allows an attacker to send a malicious Lua script that escapes the Lua sandbox, achieving arbitrary native code execution on the Redis host. Such access enables attackers to exfiltrate, delete, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.
Patch and Mitigation
Redis has addressed this vulnerability in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, all released on October 3, 2025. Users are strongly advised to upgrade to these patched versions immediately.
As a temporary measure, users can prevent the execution of Lua scripts by configuring an access control list (ACL) to restrict the EVAL and EVALSHA commands. It’s also crucial to ensure that only trusted identities can run Lua scripts or any other potentially risky commands.
Potential Impact
While there is no evidence that this vulnerability has been exploited in the wild, Redis instances are attractive targets for threat actors aiming to conduct cryptojacking attacks or incorporate them into botnets. Currently, approximately 330,000 Redis instances are exposed to the internet, with about 60,000 lacking any authentication.
The combination of widespread deployment, default insecure configurations, and the severity of this vulnerability creates an urgent need for immediate remediation.
Recommendations
– Upgrade Immediately: Users should upgrade to the patched Redis versions without delay.
– Restrict Access: Ensure that Redis instances are not exposed to the internet and are secured with strong authentication mechanisms.
– Limit Lua Script Execution: Configure ACLs to restrict the execution of Lua scripts by untrusted users.
– Monitor Systems: Regularly monitor Redis instances for unusual activity that could indicate exploitation attempts.
By taking these steps, organizations can protect their systems from potential exploitation of this critical vulnerability.
