Critical Redis Lua Use-After-Free Vulnerability Exploitable for Remote Code Execution
Summary
Hide ▲
Show ▼
A critical vulnerability in Redis, tracked as CVE-2025-49844, allows authenticated attackers to achieve remote code execution on vulnerable instances. The flaw, a 13-year-old use-after-free weakness in the Redis Lua scripting engine, affects all versions of Redis and can be exploited to gain full access to the host system. Successful exploitation can lead to data exfiltration, encryption, or lateral movement within cloud environments. The vulnerability impacts approximately 330,000 exposed Redis instances, with around 60,000 of them not requiring authentication. Patches have been released, and administrators are urged to update their instances immediately.
Timeline
-
06.10.2025 18:55 1 articles · 11h ago
Critical Redis Lua Use-After-Free Vulnerability Disclosed
A critical vulnerability in Redis, tracked as CVE-2025-49844, has been disclosed. The flaw, a 13-year-old use-after-free weakness in the Lua scripting engine, affects all versions of Redis. Successful exploitation allows authenticated attackers to achieve remote code execution, leading to data exfiltration, encryption, or lateral movement within cloud environments. Approximately 330,000 Redis instances are exposed online, with around 60,000 of them not requiring authentication. Patches have been released, and administrators are urged to update their instances immediately.
Show sources
- Redis warns of critical flaw impacting thousands of instances — www.bleepingcomputer.com — 06.10.2025 18:55
Information Snippets
-
The vulnerability, CVE-2025-49844, is a 13-year-old use-after-free weakness in the Redis Lua scripting engine.
First reported: 06.10.2025 18:551 source, 1 articleShow sources
- Redis warns of critical flaw impacting thousands of instances — www.bleepingcomputer.com — 06.10.2025 18:55
-
Successful exploitation allows attackers to escape the Lua sandbox, establish a reverse shell, and achieve remote code execution.
First reported: 06.10.2025 18:551 source, 1 articleShow sources
- Redis warns of critical flaw impacting thousands of instances — www.bleepingcomputer.com — 06.10.2025 18:55
-
Approximately 330,000 Redis instances are exposed online, with 60,000 of them not requiring authentication.
First reported: 06.10.2025 18:551 source, 1 articleShow sources
- Redis warns of critical flaw impacting thousands of instances — www.bleepingcomputer.com — 06.10.2025 18:55
-
The vulnerability can be exploited to steal credentials, deploy malware, extract sensitive data, and move laterally within the victim's network.
First reported: 06.10.2025 18:551 source, 1 articleShow sources
- Redis warns of critical flaw impacting thousands of instances — www.bleepingcomputer.com — 06.10.2025 18:55
-
Patches have been released for all affected Redis versions, and administrators are urged to update their instances immediately.
First reported: 06.10.2025 18:551 source, 1 articleShow sources
- Redis warns of critical flaw impacting thousands of instances — www.bleepingcomputer.com — 06.10.2025 18:55
-
Additional security measures include enabling authentication, disabling unnecessary commands, launching Redis as a non-root user, and implementing network-level access controls.
First reported: 06.10.2025 18:551 source, 1 articleShow sources
- Redis warns of critical flaw impacting thousands of instances — www.bleepingcomputer.com — 06.10.2025 18:55