Summary: Security Advisory: A critical vulnerability has been found in the Lua scripting engine of Redis, enabled by default in all versions, allows authenticated attackers to break out of the Lua sandbox and perform remote code execution (RCE) to gain full control of the affected system.

OEM	Redis
Severity	Critical
CVSS Score	10.0
CVEs	CVE-2025-49844
POC Available	Yes
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Since Redis is used in most cloud environments the impact is highly critical. Redis team has released the patches and urged for immediate updates recommended to secure systems.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Lua Use-After-Free RCE Vulnerability	CVE-2025-49844	All Redis Software & OSS/CE/Stack versions with Lua scripting	Critical	Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+ Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+ Redis Stack: 7.4.0-v7+, 7.2.0-v19+

Technical Summary

The vulnerability comes from a use-after-free (UAF) bug in Redis’s Lua scripting system, caused by improper checks during memory cleanup. Authenticated attackers can send malicious Lua scripts via EVAL or EVALSHA commands to manipulate memory, bypass the sandbox, and run arbitrary code. Even internal servers are at risk if attackers gain network access, making this flaw highly critical for both exposed and internal environments.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-49844	All Redis Software & OSS/CE/Stack below the fixed version	A user after free in the Lua garbage collector allows memory corruption via crafted scripts, enabling sandbox escape and RCE	Remote Code Execution

Recommendations

Upgrade to the below  fixed versions immediately.

• Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+
• Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+
• Redis Stack: 7.4.0-v7+, 7.2.0-v19+

Here are some best practices

• Enable Strong Authentication: Configure strong passwords on all the instances, ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
• Network Controls: Restrict access to authorized IPs using firewalls or VPCs, limit access to trusted sources and prevent unauthorized connectivity.
• Limit permissions: To enhance security, user needs to give minimum necessary permissions.
• Monitoring: Check the logs to see if there are any suspicious activities.
• Incident Response: If compromised, isolate systems, rotate credentials, and scan for malware.

Conclusion:
This is a critical vulnerability with a CVSS score of 10.0, affecting all Redis versions with Lua scripting. The widespread Redis usage, default insecure configurations makes this a critical threat. Immediate patching and hardening are essential to prevent full system compromise, data breaches, and further attacks.

References:

• https://redis.io/blog/security-advisory-cve-2025-49844/
• https://www.bleepingcomputer.com/news/security/redis-warns-of-max-severity-flaw-impacting-thousands-of-instances/