.png)
1 month ago
5
Redis patched a critical vulnerability with a CVSS score of 9.9 that could be used to achieve remote code execution (RCE).
The flaw, tracked as CVE-2025-49844, enables an authenticated user to use a specially crafted Lua script to manipulate Redis’ garbage collection mechanism, trigger a use-after-free error and ultimately escape the Lua interpreter sandbox to execute arbitrary code on the host, according to a Wiz report shared with SC Media.
Wiz, which helped discover and report the flaw at Pwn2Own Berlin in May, estimated that 75% of cloud environments use Redis, which is an open-source in-memory database. Additionally, Wiz found that about 330,000 Redis instances are exposed to the internet and about 60,000 require no authentication.
CVE-2025-49844 is reportedly the first critical vulnerability ever found in Redis and has existed in the Redis source code for about 13 years, according to the Wiz researchers, who have dubbed the flaw “RediShell.”
While originally assigned a maximum CVSS score of 10, CVE-2025-49844 now has a score of 9.9 in the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST).
Those who self-manage their Redis instances should immediately upgrade to one of the following fixed releases:
Redis Cloud users do not need to take additional action, as the service was already upgraded with fixes, Redis said.
For those who cannot immediately upgrade, the flaw can be mitigated by preventing users from executing Lua scripts, Redis added in a GitHub advisory.
The vulnerability is not believed to have been exploited in the wild, but users can check their instances for signs of compromise such as anomalous network ingress traffic, unexpected use of scripting commands, unexplained server crashes with a stack trace originating from the Lua engine or anomalous changes to the file system, Redis said.
Redis users should additionally take measures to protect their instances from unauthorized access, as authenticated access is required to exploit the vulnerability.
Users should restrict network access using firewalls and network policies, enforce strong authentication methods and use protected mode in OSS and CE instances, and limit user permissions to only those necessary, including permissions to run Lua scripts and other potentially risky commands, the company said.
