Critical Lua Sandbox Escape Flaw in Redis Allows Remote Code Execution (RCE)
Summary: Security Advisory: A critical vulnerability has been found in the Lua scripting engine of Redis, enabled by default in all versions, allows authenticated attackers to break out of the Lua sandbox and perform remote code execution (RCE) to gain full control of the affected system.
| OEM | Redis |
| Severity | Critical |
| CVSS Score | 10.0 |
| CVEs | CVE-2025-49844 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Since Redis is used in most cloud environments the impact is highly critical. Redis team has released the patches and urged for immediate updates recommended to secure systems.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Lua Use-After-Free RCE Vulnerability | CVE-2025-49844 | All Redis Software & OSS/CE/Stack versions with Lua scripting | Critical | Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+ Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+ Redis Stack: 7.4.0-v7+, 7.2.0-v19+ |
Technical Summary
The vulnerability comes from a use-after-free (UAF) bug in Redis’s Lua scripting system, caused by improper checks during memory cleanup. Authenticated attackers can send malicious Lua scripts via EVAL or EVALSHA commands to manipulate memory, bypass the sandbox, and run arbitrary code. Even internal servers are at risk if attackers gain network access, making this flaw highly critical for both exposed and internal environments.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-49844 | All Redis Software & OSS/CE/Stack below the fixed version | A user after free in the Lua garbage collector allows memory corruption via crafted scripts, enabling sandbox escape and RCE | Remote Code Execution |
Recommendations
Upgrade to the below fixed versions immediately.
- Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+
- Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+
- Redis Stack: 7.4.0-v7+, 7.2.0-v19+
Here are some best practices
- Enable Strong Authentication: Configure strong passwords on all the instances, ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
- Network Controls: Restrict access to authorized IPs using firewalls or VPCs, limit access to trusted sources and prevent unauthorized connectivity.
- Limit permissions: To enhance security, user needs to give minimum necessary permissions.
- Monitoring: Check the logs to see if there are any suspicious activities.
- Incident Response: If compromised, isolate systems, rotate credentials, and scan for malware.
Conclusion:
This is a critical vulnerability with a CVSS score of 10.0, affecting all Redis versions with Lua scripting. The widespread Redis usage, default insecure configurations makes this a critical threat. Immediate patching and hardening are essential to prevent full system compromise, data breaches, and further attacks.
References:
Recent Comments