CVE-2025-49844 in Redis (RediShell)
Summary
by MITRE • 10/03/2025
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/15/2026
Redis version 8.2.1 and earlier contains a critical vulnerability that arises from improper handling of Lua script execution within the garbage collection mechanism. This flaw allows authenticated users to craft malicious Lua scripts that can manipulate the garbage collector in ways that lead to use-after-free conditions. The vulnerability specifically affects the interaction between Redis's Lua interpreter and its memory management system, creating a pathway for arbitrary code execution. The issue stems from insufficient validation of Lua script operations during garbage collection cycles, where malicious scripts can exploit timing and memory access patterns to execute code beyond the intended script boundaries. This represents a severe security flaw that directly impacts the integrity and confidentiality of Redis deployments.
The technical implementation of this vulnerability exploits the underlying memory management architecture of Redis's Lua scripting environment. When authenticated users execute crafted Lua scripts, they can manipulate the garbage collector's behavior to create dangling pointers or access freed memory regions. This manipulation occurs through specific Lua operations that interact with Redis's internal memory structures, particularly during garbage collection phases. The use-after-free condition arises when the Lua interpreter attempts to access memory that has already been deallocated by the garbage collector, potentially allowing attackers to control memory layout and execute arbitrary code. This vulnerability is particularly dangerous because it leverages Redis's legitimate scripting capabilities to achieve unauthorized code execution, making detection more challenging. The flaw is classified under CWE-416 as use-after-free, and represents a privilege escalation vector that can be exploited through the EVAL and EVALSHA commands.
The operational impact of CVE-2025-49844 extends beyond simple remote code execution to encompass complete system compromise when Redis is deployed in production environments. Attackers can leverage this vulnerability to gain unauthorized access to sensitive data stored in Redis databases, potentially leading to data breaches and service disruption. The vulnerability affects all Redis installations that allow authenticated users to execute Lua scripts, which is common in development and production environments where scripting capabilities are enabled for administrative tasks. Organizations running Redis versions 8.2.1 or earlier face significant risk of unauthorized access, data manipulation, and potential lateral movement within their network infrastructure. The attack surface is particularly large because many Redis deployments are accessible over networks and allow authenticated access through various authentication mechanisms, including password-based authentication and ACL-based access controls.
Mitigation strategies for this vulnerability require immediate action to prevent exploitation while maintaining system functionality. The primary recommended approach is to upgrade Redis to version 8.2.2 or later, which contains the necessary patches to address the garbage collector manipulation issue. Organizations without immediate upgrade capability should implement access control restrictions to prevent Lua script execution entirely. This can be achieved through Redis's Access Control List (ACL) system by revoking permissions for EVAL and EVALSHA commands from all user accounts. Additionally, administrators should consider implementing network segmentation to limit Redis access to only trusted sources and disable Lua scripting entirely if it is not required for operations. The ATT&CK framework categorizes this vulnerability under T1059.007 for script execution and T1566 for credential access, highlighting the multi-faceted attack vectors that exploit this weakness. Security monitoring should include detection of unusual Lua script execution patterns and memory access anomalies that may indicate exploitation attempts. Organizations should also implement regular vulnerability assessments and penetration testing to identify and remediate similar vulnerabilities in their Redis deployments.