Critical 13-Year-Old Redis Lua Vulnerability Enables Remote Code Execution
Critical 13-Year-Old Redis Lua Vulnerability Enables Remote Code Execution
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Critical 13-Year-Old Redis Lua Vulnerability Enables Remote Code Execution
Redis has issued an urgent security alert for CVE-2025-49844, a critical vulnerability in its Lua scripting functionality that could allow remote code execution (RCE) through a use-after-free (UAF) exploit.
While exploitation requires authenticated access, the vulnerability’s severity and widespread impact have raised significant concerns across the cybersecurity community.
Maximum Severity Rating for “RediShell” Vulnerability
Redis disclosed the high-severity RCE vulnerability, designated as CVE-2025-49844 and dubbed “RediShell,” with a CVSS score of 10.0—the maximum severity level. Attackers can exploit the vulnerability by using malicious Lua scripts to manipulate the garbage collection mechanism, triggering a use-after-free condition that enables remote code execution.
13-Year-Old Flaw Bypasses Sandbox Protections
Cybersecurity firm Wiz discovered the vulnerability on May 16, 2025, and promptly reported it to Redis. The flaw represents a 13-year-old use-after-free vulnerability that allows malicious Lua scripts to break out of the sandbox environment and execute arbitrary code on the host system.
The vulnerability exploits a use-after-free memory corruption issue that has existed in Redis source code for approximately 13 years. Authenticated attackers can send specially crafted malicious Lua scripts—a feature supported by Redis by default—to escape the Lua sandbox and execute arbitrary native code on the Redis host. This grants attackers complete access to the host system, enabling them to steal, delete, or encrypt sensitive data, hijack resources, and move laterally within cloud environments.
Disclosure Timeline
The vulnerability disclosure followed this timeline:
- May 16, 2025: Wiz initially submitted the vulnerability report to Redis during the Pwn2Own event in Berlin
- October 3, 2025: Redis published a security advisory and assigned CVE-2025-49844
- October 6, 2025: The Wiz research team released a blog post publicly disclosing vulnerability details
RediShell Attack Chain
The CVE-2025-49844 (RediShell) attack chain proceeds as follows:
Attackers send a malicious Lua script that triggers the use-after-free vulnerability → bypass the Lua sandbox and execute arbitrary code → establish a reverse shell for persistent access → steal credentials (such as .ssh files, IAM tokens, certificates) → install malware or cryptomining software → exfiltrate data from Redis and the host → use stolen tokens to access cloud services, escalate privileges, and move laterally to compromise additional systems.
Risk Impact and Defense Recommendations
Researchers warn that the vulnerability could be exploited in real-world attacks, including credential theft, malware deployment, data exfiltration, and lateral movement to other cloud services. However, exploiting the vulnerability requires authenticated access to a Redis instance, making it critical to protect Redis deployments by avoiding public internet exposure and implementing strong authentication mechanisms.
The Redis security advisory states explicitly: “[CVE-2025-49844] A use-after-free vulnerability in Lua scripts may lead to remote code execution. An authenticated user can manipulate the garbage collection mechanism through a specially crafted Lua script, triggering a use-after-free condition that may result in remote code execution.”
Affected Versions and Remediation
Affected Versions: All Redis versions supporting Lua scripting functionality are vulnerable. GitHub’s official announcement confirms: “All Redis versions supporting Lua scripting are affected by this issue.”
Official Fixes: Redis released patched versions on October 3, 2025, including versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2. Immediate upgrade is strongly recommended.
Temporary Mitigation: Use Access Control Lists (ACLs) to restrict the use of “EVAL” and “EVALSHA” commands, allowing only trusted users to execute Lua scripts or other high-risk commands.
Given that approximately 75% of cloud environments use Redis, the potential impact of this vulnerability is extensive. Wiz summarized: “RediShell (CVE-2025-49844) is a critical security vulnerability affecting all Redis versions, rooted in the underlying Lua interpreter. With hundreds of thousands of Redis instances exposed to the public internet worldwide, this vulnerability poses a significant threat to enterprises across all industries.” Organizations are urged to immediately audit their Redis instances, prioritizing those exposed to the public internet.
