Critical Flaw CVE-2025-49844 (CVSS 10.0) Allows Remote Code Execution in Redis

Redis, the popular open-source in-memory data store widely used for real-time analytics, caching, and message brokering, has released multiple patches addressing four security vulnerabilities that could lead to remote code execution (RCE) and denial of service (DoS).

The flaws—tracked as CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, and CVE-2025-49844—impact all Redis versions that include Lua scripting support, a feature often used by developers to extend Redis’ functionality. The vulnerabilities have been fixed in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2.

CVE-2025-49844 (CVSS 10.0): Lua Use-After-Free Enables Remote Code Execution

The most severe of the four, CVE-2025-49844, received a maximum CVSS score of 10.0, indicating critical risk.

According to Redis’ advisory, “An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution.”

In simpler terms, this flaw arises from improper memory management in Redis’ embedded Lua interpreter. By manipulating the garbage collection process, attackers can exploit freed memory pointers to execute arbitrary code within the Redis server’s process—potentially compromising all stored data and enabling lateral movement across connected systems.

The vulnerability affects all Redis versions with Lua scripting enabled, making it a universal threat for self-hosted and enterprise deployments alike.

Redis advises administrators to upgrade immediately or apply temporary mitigations by restricting EVAL and EVALSHA command families using Access Control Lists (ACLs).

CVE-2025-46817 (CVSS 7.0): Integer Overflow in Lua Commands May Lead to RCE

Another serious flaw, CVE-2025-46817, affects Redis’ handling of Lua library commands and could result in integer overflow.

Redis explains: “An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.”

The flaw stems from arithmetic operations performed within Lua scripts, where improper integer bounds checking could allow attackers to overwrite memory values. When chained with additional Lua functionality, this can grant the attacker the ability to execute arbitrary instructions on the host system.

Like the other Lua-related vulnerabilities, this issue affects all Redis versions supporting Lua scripting. Mitigation involves blocking EVAL and FUNCTION command families via ACLs until patched versions are installed.

CVE-2025-46818 (CVSS 6.0): Running Lua Functions as Another User

The third vulnerability, CVE-2025-46818, allows privilege escalation between Redis users through the misuse of Lua functions.

Redis’ report notes that “An authenticated user may use a specially crafted Lua script to manipulate different Lua objects and potentially run their own code in the context of another user.”

In multi-tenant or shared Redis environments—such as those used by managed service providers—this flaw could let one user impersonate another, accessing or modifying data beyond their permissions.

As with the other issues, the vulnerability can be mitigated by restricting EVAL and FUNCTION commands using ACL policies.

CVE-2025-46819 (CVSS 6.3): Out-of-Bounds Read in Lua Engine

The final vulnerability, CVE-2025-46819, may result in an out-of-bounds read within the Lua engine, enabling an attacker to leak sensitive memory data or crash the Redis server, leading to denial of service.

Redis describes the issue as follows: “An authenticated user may use a specially crafted Lua script to read out-of-bound data or crash the server and subsequent denial of service.”

The flaw could be leveraged in data leakage scenarios or serve as part of a multi-step exploit chain to gather memory addresses for further attacks.

Again, Redis recommends using ACL restrictions to disable Lua execution for untrusted users as a temporary workaround.

Mitigations and Best Practices

While patches are available, Redis emphasizes that organizations should apply additional defense-in-depth measures to minimize risk:

• Upgrade to the latest Redis versions:
  • 6.2.20
  • 7.2.11
  • 7.4.6
  • 8.0.4
  • 8.2.2
• Restrict access to Lua scripting: Use ACLs to block EVAL, EVALSHA, and FUNCTION commands for all non-administrative users.
• Enforce network segmentation: Isolate Redis servers from external access and limit connections to trusted applications.
• Monitor for suspicious Lua activity: Log and alert on the execution of scripts or unusual memory behavior.

Related Posts:

• Global Malware Campaign Exploits Lua in Gaming and Education Sectors
• Critical Wing FTP Server RCE (CVE-2025-47812) Actively Exploited In The Wild
• CISA Warns of Active Exploitation of Wing FTP Server Flaw (CVE-2025-47812), CVSS 10
• Redline Stealer Malware Evolves with Sneaky New Tricks, Spreads Globally
• GitHub Vulnerability and SEO Manipulation Facilitate Game Cheat Malware Distribution