Redis has revealed details of the maximum security flaws in in-memory database software that can result in remote code execution under certain circumstances.
The vulnerability tracked as CVE-2025-49844 (aka Redishell) is assigned a CVSS score of 10.0.
“Authenticated users can use specially written LUA scripts to manipulate garbage collectors, trigger waste, and potentially lead to remote code execution,” according to GitHub’s advisory. “The problem exists in all versions of Redis in LUA scripts.”
However, for successful exploitation, it is important that the attacker first needs to gain authenticated access to the Redis instance, and that users leave the Redis instance exposed to the internet and not protect it with strong authentication.
This issue affects all versions of Redis. It is described in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, released on October 3, 2025.
As a temporary workaround until patching is applied, we recommend that you prevent users from running LUA scripts by configuring access control lists (ACLs) to restrict Evals and Evalsha commands. It is also important that only trusted identities can run LUA scripts or other potentially dangerous commands.
The cloud security company Wiz, which discovered and reported the flaw in Redis on May 16, 2025, described it as a lean (UAF) memory corruption bug that had been present in Redis source code for about 13 years.
Essentially, the attacker allows malicious LUA scripts to be sent that lead to arbitrary code execution outside the Redis Lua interpreter sandbox, allowing unauthorized access to the underlying host. Hypothetical attack scenarios can be used to steal credentials, drop malware, remove sensitive data, and pivot to other cloud services.
“This flaw allows Post Auth attackers to escape specially crafted malicious LUA scripts (a feature supported by Redis by default) from the LUA sandbox, allowing arbitrary native code execution on the Redis host,” says Wiz. “This allows attackers to grant full access to the host system, remove, wipe or encrypt sensitive data, hijack resources, and accelerate lateral movement within the cloud environment.”
Although there is no evidence that the vulnerability has been exploited in the wild, Redis instances are the favourable targets of threat actors who attempt to participate in botnets by conducting cryptojacking attacks. At the time of writing, around 330,000 Redis instances are exposed to the internet, of which approximately 60,000 lack authentication.
“With hundreds of thousands of exposed instances around the world, this vulnerability poses a major threat to organizations in all industries,” Wiz said. “The combination of widespread deployment, default unstable configurations, and vulnerability severity creates an urgent need for immediate remediation.”
Source link
