This high-severity flaw affects all versions of Redis that utilize the Lua scripting engine, presenting a significant threat to a wide range of deployments that rely on the popular in-memory data store.
The core of the issue lies in how Redis handles memory management within its Lua scripting component. An authenticated user with permissions to run Lua scripts can craft a malicious script to manipulate the server’s garbage collector.
This manipulation triggers a use-after-free condition, a memory corruption flaw where the application attempts to access memory after it has already been freed.
A skilled attacker can exploit this condition to hijack the application’s execution flow, ultimately leading to the execution of arbitrary code on the server. This provides the attacker with control over the Redis instance and the underlying system.
The potential for remote code execution makes this a critical vulnerability. A successful exploit could allow an attacker to compromise the confidentiality, integrity, and availability of the data stored within the Redis database.
Attackers could steal sensitive information, modify or delete records, or cause a denial-of-service condition. Furthermore, a compromised Redis server can serve as a foothold for attackers to move laterally across a network, escalating their privileges and targeting other internal systems.
The flaw’s impact is widespread, as it affects all Redis versions that support Lua scripting, a feature that has been integral to the platform for many years.
| CVE ID | Affected Product(s) | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-49844 | All Redis versions with Lua scripting | Remote Code Execution | Authenticated access with permissions to execute Lua scripts | To be determined |
While organizations await a formal security patch, a robust workaround is available to mitigate the risk. Administrators are strongly advised to prevent users from executing Lua scripts, which is the primary attack vector.
This can be implemented by modifying Redis Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands. By blocking these commands, any attempt to run a malicious script will be denied, effectively neutralizing the threat.
This workaround provides an immediate defense without needing to update the redis-server executable and should be prioritized for all production environments.
The issue was responsibly disclosed by researchers Benny Isaacs, Nir Brakha, and Sagi Tzadik of Wiz, who collaborated with Trend Micro’s Zero Day Initiative.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Redis Server Vulnerability use-after-free Vulnerability Enables Remote Code Execution appeared first on Cyber Security News.
Another day, another Crocs drop! Even if you're tired of all the new Crocs' releases…
LEGO has been going crazy with the announcements, solidifying a long list of upcoming sets…
Mother's Day lands on May 10 this year. This time around, why not get mom…
Ravensburger is one of my overall favorite puzzle brands that just so happens to have…
Call of Duty fans can breathe a sigh of relief as this year's entry will…
Fallout co-creator Tim Cain has shared his fear that some gamers are watching influencers just…
This website uses cookies.