Redis (<8.2.2): Use-After-Free in Redis Lua scripting leading to remote code execution (CVE-2025-49844) #shorts

Summary

Welcome to today’s podcast. We’re diving into CVE-2025-49844, a critical remote code execution vulnerability in Redis. Discovered by Wiz Research and tracked by CERT, this flaw affects all Redis servers with Lua scripting enabled prior to version 8.2.2. It’s estimated to expose roughly 75% of cloud environments to potential attacks, making it one of the most impactful Redis vulnerabilities in recent memory.

Product details

Redis is a popular open source, in-memory data store that persists datasets on disk. It’s widely adopted across enterprises, cloud providers, and DevOps teams for caching, message brokering, and real-time analytics. Oracle Linux 10, Rocky Linux 8, and countless other distributions have pushed security updates specifically to address this vulnerability, highlighting its severity and broad footprint.

Vulnerability type summary

CVE-2025-49844 is classified under CWE-416: Use After Free. In a nutshell, a use-after-free bug allows an attacker to trigger a reference to memory that has already been released. When exploited correctly, this can lead to arbitrary code execution, privilege escalation, and complete system compromise.

Details of the vulnerability

In versions of Redis up to 8.2.1, an authenticated user can supply a specially crafted Lua script that manipulates the internal garbage collector. By abusing Redis’s Lua scripting engine—specifically the EVAL and EVALSHA commands—a malicious actor can force a use-after-free condition. Once triggered, this flaw can be chained into remote code execution on the host system. CERT and Redis maintainers confirmed the issue on October 3, 2025, and released the patch in version 8.2.2 on October 8. Until you can upgrade, you can mitigate risk by enforcing ACL rules to disable Lua scripts—blocking EVAL and EVALSHA altogether.

Conclusion

CVE-2025-49844 serves as a stark reminder of the power and danger of embedded scripting engines. If you manage Redis instances, especially in cloud deployments, apply version 8.2.2 or later immediately. Review your ACL policies to ensure Lua scripting is restricted according to the principle of least privilege. Stay tuned for future episodes where we’ll unpack the latest security updates and dive deeper into hardening your infrastructure.

This chain involves the following actors

• Attacker: authenticated or unauthorized user seeking remote code execution

This following systems are involved

• Redis Server (in-memory key value data store with script evaluation): target of memory corruption and code execution

Attack entry point

• EVAL/EVALSHA commands: interface that accepts and runs user-supplied Lua scripts

Remediation actions

Exploitation actions

• https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q
• https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539
• https://github.com/redis/redis/releases/tag/8.2.2
• [2025-10-09] A critical Redis flaw, CVE-2025-49844, exposes 75% of cloud systems to remote code execution, data theft, and full system compromise.
• [2025-10-10] A guide on how to install and secure Redis on Rocky Linux 8, including a security notice for CVE-2025-49844.
• [2025-10-07] Critical remote code execution vulnerability discovered in Redis, identified as CVE-2025-49844.
• [2025-10-09] CERT detected and Redis fixed a Lua code execution vulnerability (CVE-2025-49844) in Redis.
• [2025-10-06] Wiz Research discovers a critical remote code execution vulnerability in Redis, affecting 75% of cloud environments.
• [2025-10-07] Redis releases patches for a critical RCE vulnerability (CVE-2025-49844) that could allow attackers to execute arbitrary code on the host system.
• [2025-10-09] Oracle Linux 10 receives an important security update for Valkey addressing CVE-2025-49844.