.png)
2 hours ago
2
A 13-year-old critical flaw in Redis servers, rated a perfect 10 out of 10 in severity, can let an authenticated user trigger remote code execution.
For anyone using Redis Cloud, the service has already been upgraded, with fixes, so no need to do anything. But for anyone using self-managed versions of the widely used in-memory database (OSS, CE, Stack, and Software versions): upgrade to the latest release listed here.
The security flaw, tracked as CVE-2025-49844, affects all Redis versions with Lua scripting. It allows an authenticated attacker to send a malicious Lua script and manipulate the garbage collector – this is its memory management system intended to prevent memory leaks – and trigger a use-after-free that can potentially lead to remote code execution in the Redis server process.
It's especially concerning because it has existed in Redis source code for 13 years, according to Wiz researchers Benny Isaacs and Nir Brakha, who discovered the security hole with Trend Micro's Zero Day Initiative (ZDI) bug hunters.
"Given that Redis is used in an estimated 75 percent of cloud environments, the potential impact is extensive," Isaacs and Brakha said in an alert shared with The Register and slated to publish Monday night. "Organizations are strongly urged to patch instances immediately by prioritizing those that are exposed to the internet."
About 330,000 Redis instances remain exposed to the internet and 60,000 instances have no authentication configured, the duo added.
- Back to being FOSS, Redis delivers a new, faster version
- Hacking contest kerfuffle over copied rules pits Wiz against ZDI
- Clop crew hits Oracle E-Business Suite users with fresh zero-day
- Warnings about Cisco vulns under active exploit are falling on deaf ears
"We have no evidence of exploitation of these vulnerabilities in Redis Cloud or reported in customer environments," Redis Chief Information Security Officer Riaz Lakhani said in an October 3 security advisory.
But considering how long the bug has been hiding out, it's still a good idea to check your operating environment for any indicators of compromise.
These, according to Lakhani, include access to the Redis database from unauthorized or unknown sources, unusual network ingress and egress traffic, unknown scripts in the database, unexplained server crashes – specifically with a stack trace originating from a Lua engine – and unexpected command execution.
Additionally, it's a good idea to use firewalls and network policies to restrict access to only trusted sources and ensure that unauthorized users can't access your database, and to enforce the use of credentials for all access to Redis instances. ®
