A significant security flaw, designated as CVE-2025-49844, has been identified in Redis servers, potentially allowing authenticated users to execute arbitrary code remotely. This vulnerability affects all Redis versions that incorporate the Lua scripting engine, posing a substantial risk to numerous deployments relying on this widely-used in-memory data store.
Understanding the Vulnerability
The root of this issue lies in Redis’s management of memory within its Lua scripting component. An authenticated user with the capability to execute Lua scripts can craft a malicious script designed to manipulate the server’s garbage collector. This manipulation induces a use-after-free condition—a type of memory corruption where the application attempts to access memory after it has been freed.
Potential Impact
Exploiting this vulnerability enables an attacker to hijack the application’s execution flow, leading to the execution of arbitrary code on the server. This grants the attacker control over the Redis instance and potentially the underlying system. The ramifications are severe:
– Data Compromise: Attackers could access, modify, or delete sensitive information stored within the Redis database.
– Service Disruption: Malicious actors might cause denial-of-service conditions, rendering the database unavailable.
– Lateral Movement: A compromised Redis server could serve as an entry point for attackers to infiltrate other systems within the network, escalating their privileges and targeting additional internal resources.
Given that Lua scripting has been an integral feature of Redis for many years, this vulnerability’s impact is extensive, affecting all versions supporting Lua scripting.
Technical Details
– CVE ID: CVE-2025-49844
– Affected Products: All Redis versions with Lua scripting enabled
– Impact: Remote Code Execution
– Exploit Prerequisites: Authenticated access with permissions to execute Lua scripts
– CVSS 3.1 Score: To be determined
Mitigation Strategies
While awaiting an official security patch, administrators can implement a robust workaround to mitigate the risk:
– Restrict Lua Script Execution: Prevent users from executing Lua scripts by modifying Redis Access Control Lists (ACLs) to restrict the `EVAL` and `EVALSHA` commands. Blocking these commands will deny any attempt to run a malicious script, effectively neutralizing the threat.
This immediate defense does not require updating the `redis-server` executable and should be prioritized for all production environments.
Disclosure and Collaboration
The vulnerability was responsibly disclosed by researchers Benny Isaacs, Nir Brakha, and Sagi Tzadik of Wiz, in collaboration with Trend Micro’s Zero Day Initiative. Their efforts underscore the importance of coordinated vulnerability disclosure and the ongoing need for vigilance in securing widely-used software components.
Conclusion
The discovery of CVE-2025-49844 highlights the critical need for organizations to stay informed about vulnerabilities in the software they deploy. Administrators should promptly implement the recommended mitigations and monitor for official patches to ensure the security and integrity of their Redis deployments.
