What happened?
As part of an ongoing effort by Redis and the Redis community to maintain Redis’ safety, security, and compliance posture, a security vulnerability in Redis has been identified and remediated in the versions indicated below.
What is the vulnerability?
[CVE-2025-49844] Lua use-after-free may lead to remote code execution. CVSS Score: 10.0 (Critical)
An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution.
How can you protect your Redis instance?
Exploitation of this vulnerability requires an attacker to first gain authenticated access to your Redis instance.
There are several steps you can take to protect your Redis from being accessed by a malicious actor. To minimize the risk of exploitation, it’s important to follow these best practices:
- Restrict network access. Ensure that only authorized users and systems have access to the Redis database. Use firewalls and network policies to limit access to trusted sources and prevent unauthorized connectivity.
- Enforce strong authentication. Enforce the use of credentials for all access to Redis instances. Avoid configurations that allow unauthenticated access, and ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
- Limit permissions. Ensure that user identities with access to Redis are granted the minimum permissions necessary. Only allow trusted identities to run Lua scripts or any other potentially risky commands.
For more details on how to securely configure, deploy, and use Redis, visit the Redis Community Edition and Redis Software documentation sites.
How can I remediate?
We’ve already upgraded our Redis Cloud service with the fixes, so no additional action is required from you.
If you’re self-managing Redis, whether Software or Community versions, upgrade your Redis to the latest release.
The versions of Redis OSS, CE, Stack, and Software listed below include the fixes. Once the upgrades are performed, the vulnerability will be remediated in your environment.
| Vulnerability | Impacted releases | Fixed releases |
|---|---|---|
| [CVE-2025-49844] Lua Use-After-Free may lead to remote code execution CVSS Score: 10.0 (Critical) | All Redis Software releases | 7.22.2-12 and above, 7.8.6-207 and above, 7.4.6-272 and above, 7.2.4-138 and above, 6.4.2-131 and above |
| All Redis OSS/CE/Stack releases with Lua scripting | OSS/CE: 8.2.2 and above, 8.0.4 and above, 7.4.6 and above, 7.2.11 and above, Stack: 7.4.0-v7 and above, 7.2.0-v19 and above |
How can I tell if I was already exposed?
We have no evidence of exploitation of these vulnerabilities in Redis Cloud or reported in customer environments.
Below are general indicators of potential exploitation that you may use to search within your operating environment.
These technical and behavioral indicators or artifacts could be created if exploitation occurred. If you search for these within your Redis environment, you may be able to detect potential exploitation related to your Redis instance.
- Access to the Redis database from unauthorized or unknown sources
- Unknown or anomalous network ingress traffic to the Redis database
- Unknown or unexpected use of the Redis scripting commands
- Unknown or unexpected scripts present in your Redis database
- Unexplained Redis server crashes, specifically crashes with a stack trace that originates from the Lua engine
- Unknown, unexpected, or anomalous command execution by the redis-server user
- Unknown or anomalous network egress traffic (or attempts) from the Redis database
- Unknown or anomalous changes to the file system, in particular in directories that host Redis persistent or configuration files
Who gets the credit?
We thank the following researchers for being so kind as to identify this vulnerability and report it through our published process:
- The problem was reported by Wiz researchers Benny Isaacs (@benny_isaacs), Nir Brakha, Sagi Tzadik (@sagitz_) working with Trend Micro, Zero Day Initiative