The developers of Redis have released patches addressing a newly discovered critical vulnerability that could allow attackers to execute arbitrary code on affected servers. Security researchers from Wiz, who identified the issue, state this is the first critical vulnerability ever reported in Redis.
The flaw has been assigned the identifier CVE-2025-49844. It affects all Redis versions with Lua scripting enabled and carries a maximum CVSS score of 10.0.
The vulnerability arises from a use-after-free condition in the Lua scripting engine. An authenticated attacker can craft a malicious Lua script to manipulate the garbage collector, escape the sandbox, and execute arbitrary code on the Redis server.
Potential consequences include:
- Theft of keys, tokens, and credentials
- Deployment of malware
- Extraction of sensitive database or system data
- Lateral movement within a cloud or enterprise environment
According to the US National Vulnerability Database (NVD), the issue has a CVSS score of 8.8 (High), while Redis and Wiz rate it at 10.0 (Critical).
Exposure Risks
Wiz researchers report that 330,000 Redis instances are accessible from the internet, with approximately 60,000 lacking authentication. Additionally, around 57% of Redis deployments in cloud environments run in containerized form, where security is often misconfigured.
While exploitation requires authentication, Redis instances on internal networks often run without enforced credentials. This increases the risk of unauthorized access and exploitation if attackers gain a foothold inside a cloud or enterprise network.
Redis Response and Fixed Versions
Redis has already applied patches to its Redis Cloud service, requiring no customer action for managed environments. Self-managed users of Redis Open Source, Community Edition, Stack, or Enterprise Software must upgrade to patched versions.
Fixed Releases:
- Redis OSS/CE/Stack:
- 8.2.2 and above
- 8.0.4 and above
- 7.4.6 and above
- 7.2.11 and above
- Stack: 7.4.0-v7 and above, 7.2.0-v19 and above
- Redis Software (Enterprise):
- 7.22.2-12 and above
- 7.8.6-207 and above
- 7.4.6-272 and above
- 7.2.4-138 and above
- 6.4.2-131 and above
Mitigation and Best Practices
Redis advises administrators to take the following precautions in addition to patching:
- Restrict network access to Redis instances using firewalls and network policies.
- Enforce strong authentication and avoid unauthenticated configurations.
- Limit permissions to prevent unauthorized users from executing Lua scripts.
- Use Access Control Lists (ACLs) to disable the
EVALandEVALSHAcommands if patching is not immediately possible.
Indicators of Potential Exploitation
Redis has reported no evidence of active exploitation. However, administrators should monitor for the following signs:
- Connections from unauthorized or unexpected sources
- Unusual network traffic to or from Redis servers
- Unexpected use of Redis scripting commands
- Unfamiliar or suspicious Lua scripts stored in Redis
- Unexplained Redis crashes linked to Lua execution
- Abnormal file system changes in Redis directories
The vulnerability was reported by Wiz researchers Benny Isaacs, Nir Brakha, and Sagi Tzadik, working with Trend Micro’s Zero Day Initiative.
