What is CVE-2025-49844?
On October 3, 2025, CVE-2025-49844 was released, describing a critical remote code execution vulnerability in the widely used open-source in-memory data store, Redis. With a CVSS score of 10.0, this issue is very severe and should be addressed quickly.
CVE-2025-49844 is a use-after-free memory corruption bug that has been present in the Redis source code for approximately 13 years. It allows an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger the use-after-free condition, and potentially achieve remote code execution. By default, Redis does not come with authentication enabled, and as a result, many developers do not enable authentication in their deployments.
This vulnerability was discovered by security researchers at Wiz and reported through Pwn2Own Berlin in May 2025, and it has been dubbed "RediShell." Redis published patches on October 3, 2025.
At the time of this publication, no exploit code is publicly available. However, proof-of-concept tools are making progress towards successful execution.
Who is affected?
CVE-2025-49844 impacts all Redis versions that include Lua scripting support.
Fixed Redis OSS/CE/Stack versions:
- 8.2.2 and above
- 8.0.4 and above
- 7.4.6 and above (Stack: 7.4.0-v7 and above)
- 7.2.11 and above (Stack: 7.2.0-v19 and above)
- 6.2.20 and above
Fixed Redis Software (Enterprise) versions:
- 7.22.2-12 and above
- 7.8.6-207 and above
- 7.4.6-272 and above
- 7.2.4-138 and above
- 6.4.2-131 and above
Redis Cloud customers were automatically patched and do not require action.
How does RediShell work?
RediShell exploits insufficient validation of object liveness during garbage collection in Redis's Lua scripting subsystem. Lua scripting is enabled by default in Redis and commonly used to extend functionality.
The attack enables an authenticated user to send a malicious Lua script that allows arbitrary code execution outside of the Redis Lua interpreter sandbox, in turn granting unauthorized access to the underlying host. The technical mechanism involves:
- Memory Corruption: Crafted Lua scripts manipulate the garbage collector to free memory that is still referenced by active objects.
- Sandbox Escape: The use-after-free condition allows code execution outside the Lua sandbox.
- Host Access: Attackers gain native code execution on the Redis host system.
After compromising a Redis host, attackers can steal credentials, deploy malware, extract sensitive data from Redis, move laterally to other systems, or use stolen information to gain access to cloud services.
How do you detect RediShell?
With Sysdig Secure, users can leverage “RediShell Detection” in the Threat Intelligence Feed to automatically query their environments for vulnerability versions of Redis.
Users can also rely on Sysdig vulnerability management to track CVE-2025-49844, and Sysdig Sage™ for guided remediation.
Mitigation
Immediate Actions:
- Administrators should upgrade immediately or apply temporary mitigations by restricting EVAL and EVALSHA command families using Access Control Lists (ACLs).
- Ensure any vulnerable instances are not exposed to the Internet.
- Prioritize patching internet-exposed instances.
Security Best Practices:
- Restrict network access using firewalls and network policies to limit access to trusted sources.
- Enforce strong authentication for all access to Redis instances and ensure protected-mode is enabled.
- Run Redis with a non-root user account to limit the blast radius of potential compromise.
- Disable Lua scripting if not required for application functionality.
- Implement network segmentation to prevent lateral movement.
- Avoid exposing Redis instances to the public internet entirely.
References
- Redis Security Advisory: https://redis.io/blog/security-advisory-cve-2025-49844/
- GitHub Security Advisory: https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q
- National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2025-49844
- Redis Commit Fix: https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539
- Wiz Research Analysis: https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844
