
oss-sec mailing list archives
redis: CVE-2025-49844: Lua Use-After-Free may lead to remote code execution
From: Jan Schaumann <jschauma () netmeister org>
Date: Tue, 7 Oct 2025 17:36:45 -0400
I haven't seen it here on this list yet, so forwarding: There's an RCE vulnerability in Redis with a CVSS Score of 9.9 (although advertised as 10.0): https://nvd.nist.gov/vuln/detail/CVE-2025-49844 https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Impact An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. Workarounds An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. Credit The problem was reported by Wiz researchers Benny Isaacs (@benny_isaacs), Nir Brakha, Sagi Tzadik (@sagitz_) working with Trend Micro, Zero Day Initiative --- Additional link, which assesses the vulnerability based on the how many exposed instances don't require authentication: https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844
Current thread:
- redis: CVE-2025-49844: Lua Use-After-Free may lead to remote code execution Jan Schaumann (Oct 07)