Critical Redis Lua Scripting Vulnerability Patched
Redis, a widely-used open-source data structure server, has issued crucial security updates to address a severe vulnerability impacting its Lua scripting feature. If not properly managed, this flaw could grant attackers full access to the underlying host system.
The vulnerability, identified as CVE-2025-49844, is a use-after-free memory corruption bug that can be exploited via specially crafted Lua scripts. This allows a post-authentication attacker to manipulate Redis' Garbage Collector and achieve arbitrary native code execution on the host system.
The vulnerable code was added to Redis' codebase in 2012, impacting versions up to and including v8.2.1 that use Lua scripting. IT administrators are urged to install updates immediately or disable Lua scripting using Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands.
Hardening Redis installations is crucial to prevent such breaches. This includes enabling authentication, disabling unnecessary commands, operating Redis with a non-root user account, activating Redis logging and monitoring, implementing network-level access control, and limiting access to authorized networks.
The latest security updates addressing CVE-2025-49844 were released in various Redis versions, including commercial and open-source releases, as well as Redis Stack versions 7.2.0-v19, 7.2.11, 7.4.0-v7, 7.4.6, 8.0.4, and 8.2.2. Administrators should apply these updates promptly to mitigate the risk of attackers establishing persistent access, installing cryptominers or malware, exfiltrating sensitive data, or compromising/stealing credentials.
