A critical use-after-free vulnerability recently discovered in Redis has put thousands of deployments at risk of remote code execution (RCE). Tracked as CVE-2025-49844, the flaw impacts all Redis versions up to 8.2.1 that have Lua scripting enabled, and has since been patched in Redis version 8.2.2. Security advisories from multiple vendors, including Redis, Oracle, and Debian, urge immediate action due to the ease of exploitation and high potential for system compromise.
Lua Scripting Vulnerability in Redis Enables Critical RCE
Redis, the widely used in-memory data store, supports the execution of Lua scripts via the `EVAL` and `EVALSHA` commands to enable complex server-side logic. However, CVE-2025-49844 reveals how this feature can be misused by authenticated attackers to achieve remote code execution through manipulation of the Lua garbage collector.
Flaw Scoped to Use-After-Free Memory Condition
The vulnerability is classified under CWE-416 (Use After Free), and is triggered when specially crafted Lua scripts manipulate Redis memory handling in a way that leaves previously freed memory in a dangerous, reusable state. According to the Redis security advisory, this behavior permits an attacker with valid credentials to upload malicious scripts, which can hijack program control flow and execute arbitrary code.
The vulnerability has received a CVSS v3.1 base score of 9.9 from the National Vulnerability Database (NVD), signaling critical severity. SOCRadar assigned it the maximum SVRS (SOCRadar Vulnerability Risk Score) of 99, emphasizing its potential for widespread and damaging exploitation.
CVE-2025-49844 Exploitation Now Active, Immediate Patching is Essential
Security researchers, including teams from Wiz and Trend Micro’s Zero Day Initiative, are credited with discovering and disclosing the issue. SOCRadar warns that exploits for CVE-2025-49844 are already being observed in the wild, dramatically increasing the urgency for system owners to patch affected deployments.
Redis responded swiftly by releasing security updates across multiple branches. The patch is included in the following versions:
- Redis Software : 7.22.2-12 and above, 7.8.6-207 and above, 7.4.6-272 and above, 7.2.4-138 and above, 6.4.2-131 and above
- Redis OSS/CE/Stack :
– OSS/CE: 8.2.2 and above, 8.0.4 and above, 7.4.6 and above, 7.2.11 and above – Stack: 7.4.0-v7 and above, 7.2.0-v19 and above
Major distributions have also released patches. For instance, Debian supports fixed versions in its unstable “forky” and “sid” branches, while Oracle has updated Redis packages in its Linux OS versions 8, 9, and 10. Amazon Linux registries and the Cyber Security Agency of Singapore (CSA) have also issued security alerts urging system administrators to patch immediately.
Mitigation Options for Environments That Cannot Upgrade
While upgrading to Redis 8.2.2 or a patched variant is the recommended resolution, Redis and security vendors have proposed temporary mitigation strategies for environments where immediate upgrading is not feasible:
- Disable Lua Command Execution via ACLs : Prevent execution of Lua scripts by disallowing access to the `EVAL` and `EVALSHA` commands using Access Control Lists.
- Implement Network Access Controls : Restrict Redis server exposure to trusted internal networks and authenticated users only.
- Harden Authentication and Permissions : Enforce strong authentication and minimize Lua scripting privileges to prevent abuse.
- Monitor Logs and Traffic : Continuously audit Redis logs for signs of suspicious script usage or malformed command sequences.
- Apply Network Segmentation : Isolate Redis deployments from external-facing services to contain potential breaches.
These workarounds are not a substitute for the full security patch but can reduce exposure while organizations assess and deploy updates.
Redis Community Should Reassess Use of Lua Scripting
The discovery of CVE-2025-49844 highlights the complexity and risk associated with server-side scripting in high-privilege memory environments. Redis’ Lua scripting feature, while powerful, requires secure implementation and administration. Organizations that rely heavily on `EVAL` or `EVALSHA` should audit their usage, validate inputs, and consider longer-term design adjustments to minimize client-provided code execution on critical infrastructure.
Given Redis’ popularity as a caching layer, message broker, and session store in cloud-native environments, the impact potential of this remote code execution vulnerability is far-reaching. Attackers exploiting this flaw could compromise application data, elevate privileges, or pivot further into a network—underscoring the importance of swift coordination between development, DevOps, and security teams.
Final Recommendation
In light of confirmed exploit activity and the critical CVSS score, Redis deployments must be evaluated for exposure to CVE-2025-49844. Administrators should prioritize the following actions:
- Immediately upgrade to Redis version 8.2.2 or the closest applicable secure release.
- Temporarily disable Lua scripting and audit access to Redis commands.
- Monitor for signs of Lua-based exploit attempts in logs and network metadata.
As always, adherence to the principle of least privilege and regular patching remain key defenses against emergent vulnerabilities in widely used platforms like Redis.
