A critical security vulnerability has been discovered in Redis that could allow remote code execution through a crafted Lua script. Identified as CVE-2025-49844, the flaw has received a CVSS score of 10.0, the highest possible rating, reflecting both its severity and potential impact.
The vulnerability was responsibly disclosed by researchers at Wiz and Trend Micro’s Zero Day Initiative and has since been fixed by the Redis team responding quickly and transparently and issuing patches with clear remediation guidance. Organizations running Redis, whether open source or commercial versions, are strongly urged to update their deployments immediately.
At the heart of this vulnerability is a use-after-free bug in the Lua scripting engine embedded in Redis. The flaw can be exploited by an authenticated attacker who submits a specially crafted Lua script designed to manipulate Redis’ memory management. This abuse of the Lua garbage collector can lead to a use-after-free condition, which in turn opens the door to remote code execution. Essentially if an attacker already has access to your Redis instance, they could run a malicious script that compromises the host system.
While Redis reports no known exploitation of this vulnerability in the wild including on Redis Cloud, self-managed environments should assess their exposure. Signs of a possible compromise include unexpected Redis crashes (especially involving Lua), unusual or unauthorized access patterns, unexpected Lua scripts or command execution, anomalous network activity from or to the Redis server, and unexplained changes to Redis-related files. It isn’t confirmation but together may indicate suspicious behavior worth investigating, particularly if your Redis instance was exposed to untrusted networks or lacked strict access controls.
If you’re using Redis Cloud, no action is required as Redis has already deployed the patch across its managed infrastructure.
However, self-hosted users (Community Edition (CE), Open Source (OSS), Stack, or commercial Redis Software) need to act. Patch availability varies by version, but fixes are included in the following releases:
- OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+
- Stack: 7.4.0-v7+, 7.2.0-v19+
- Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+
If you’re unsure which version you’re running, check your Redis instance using the INFO command or consult your deployment tools.
Along with updating, you’ll also want to review basic Redis security practices:
- Ensure only trusted sources have network access to your instance.
- Requiring authentication and avoiding anonymous access.
- Limitting script execution to trusted users only.
These steps reduce the chances of it being exploited in the first place.
Even mature and widely trusted technologies like Redis are not immune to critical bugs, especially when complex features like Lua scripting are involved. If you’re running Redis in production, patching now is urgent.
For detailed version-specific patch information or configuration tips, review the official Redis security advisory.
Leave a Reply