Redis warns of CVE-2025-49844, a Lua script flaw enabling RCE via use-after-free. Attackers need authenticated access to exploit it.
Redis disclosed a critical RCE bug, tracked as CVE-2025-49844 (also known as “RediShell”, with a CVSS score of 10.0), where a malicious Lua script can exploit the garbage collector to trigger a use-after-free vulnerability and enable remote code execution.
Cybersecurity firm Wiz discovered the bug and reported it to Redis on May 16, 2025. It’s a 13-year-old use-after-free flaw that lets a malicious Lua script break out of the sandbox and execute arbitrary code on the host.
“The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host.” reads the report published by Wiz. “This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.”
Below is the Disclosure Timeline:
- Oct 6, 2025: Wiz Research publishes this blog post.
- May 16, 2025: Initial vulnerability report sent to Redis in Pwn2Own Berlin.
- Oct 3, 2025: Redis publishes the security bulletin and assigned CVE-2025-49844.
The researchers warn of real attacks, which could enable credential theft, malware deployment, data exfiltration, or lateral movement to other cloud services.
Exploitation requires prior authenticated access, so secure Redis instances (no Internet exposure, strong auth).
“[CVE-2025-49844] Lua use-after-free may lead to remote code execution. CVSS Score: 10.0 (Critical)” reads the advisory. “An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution.”
The vulnerability impacts all versions of Redis with Lua scripting.
“The problem exists in all versions of Redis with Lua scripting.” reads a GitHub advisory.
The company addressed the issue with the release of versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 released on October 3, 2025. As a workaround, restrict EVAL and EVALSHA via ACLs and allow only trusted users to run Lua scripts or other risky commands.
Given that Redis is used in an estimated 75% of cloud environments, the potential impact is extensive. Organizations are strongly addressing their instances immediately by prioritizing those that are exposed to the internet.
The attack chain for RediShell (CVE-2025-49844) shows an attacker sending a malicious Lua script to trigger a use-after-free, escape the Lua sandbox and execute arbitrary code. They open a reverse shell for persistence, steal credentials (.ssh, IAM tokens, certs), install malware or miners, exfiltrate data from Redis and the host, then use stolen tokens to access cloud services, escalate privileges, and move laterally to further compromise systems.
“RediShell (CVE-2025-49844) represents a critical security vulnerability that affects all Redis versions due to its root cause in the underlying Lua interpreter. With hundreds of thousands of exposed instances worldwide, this vulnerability poses a significant threat to organizations across all industries.” concludes Wiz.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-49844)
Laisser un commentaire