Critical Redis Security Vulnerability Uncovered
Recent developments in cloud security have brought to light a serious vulnerability in Redis, an in-memory database that many organizations rely on. Labeled as CVE-2025-49844, or colloquially known as RediShell, this flaw has earned a maximum CVSS score of 10.0, signaling its potential for significant impact if exploited.
Understanding the Vulnerability
The crux of this issue lies in the ability of an authenticated user to execute specially crafted Lua scripts. According to alerts published on GitHub, this could lead to a use-after-free condition, which in turn may facilitate remote code execution. Essentially, this allows an attacker who has gained legitimate access to manipulate the garbage collector within Redis.
It’s worth noting that successful exploitation requires an initial authenticated connection to a Redis instance. This detail emphasizes the importance of robust security measures—namely, securing these databases from unauthorized internet exposure and employing strong authentication protocols.
Which Versions Are Affected?
All versions of Redis that support Lua scripting are susceptible to the vulnerability identified. However, a patch was provided in newer releases, specifically versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, which were all released on October 3, 2025. Users are strongly encouraged to update their Redis instances to these versions to mitigate risk.
Preventive Measures and Workarounds
In light of this vulnerability, administrators are advised to take immediate preventive steps until they can apply the latest updates. One recommended approach is to restrict execution of Lua scripts by modifying the access control list (ACL) settings to block EVAL and EVALSHA commands. Organizations should also ensure that only verified users can run Lua scripts or any commands that may pose security risks.
The Discovery of RediShell
Cloud security firm Wiz discovered this vulnerability and reported it to Redis on May 16, 2025. They described it as a use-after-free memory corruption bug that had remained in the Redis codebase for nearly 13 years. The implications of this flaw are considerable, as it allows an attacker to send an infected Lua script to Redis, effectively gaining control not just over the database but also over the server hosting it.
In a potential exploit scenario, the attacker could access sensitive information, deploy malware, or move laterally across cloud environments to compromise additional systems. Wiz elaborated on this alarming capability, stating that it allows attackers to bypass the Lua sandbox, achieving arbitrary code execution directly on Redis hosts.
Current Risk Landscape
Despite no confirmed instances of this vulnerability being exploited in real-world scenarios, the sheer number of accessible Redis instances makes them attractive targets for malicious actors. Currently, there are approximately 330,000 Redis instances exposed online—of which around 60,000 lack any form of authentication. This situation underscores the urgency for organizations to prioritize security measures.
Wiz has highlighted that the combination of many exposed Redis instances, default insecure configurations, and the critical nature of this vulnerability makes it a significant threat across various sectors. The call to action is clear: organizations must take immediate steps to safeguard their data and infrastructure.
