Full Report
Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances. The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0. "An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free,
Analysis Summary
# Vulnerability: Redis Remote Code Execution via Lua Script Garbage Collector Manipulation (RediShell)
## CVE Details
- CVE ID: CVE-2025-49844
- CVSS Score: 10.0 (Critical)
- CWE: Use-After-Free / Memory Corruption
## Affected Systems
- Products: Redis in-memory database software
- Versions: All versions of Redis with Lua scripting enabled (prior to specified patches).
- Configurations: Requires an attacker to have authenticated access to the Redis instance.
## Vulnerability Description
This vulnerability, dubbed RediShell, is a 13-year-old Use-After-Free (UAF) memory corruption flaw triggered by manipulating the garbage collector within the Lua scripting environment. A successfully crafted, authenticated malicious Lua script (using `EVAL` or `EVALSHA` commands) can cause the process to escape the Lua sandbox, leading to arbitrary native code execution on the underlying Redis host system. This grants the attacker full control over the host.
## Exploitation
- Status: No evidence of exploitation in the wild reported, but PoC is implied by the nature of the flaw and advisory disclosure.
- Complexity: Low (Requires only authenticated access and ability to run Lua scripts).
- Attack Vector: Network (Post-authentication)
## Impact
- Confidentiality: High (Potential to steal credentials, exfiltrate sensitive data).
- Integrity: High (Potential to wipe or modify data, drop malware).
- Availability: High (Potential to hijack resources, conduct cryptojacking).
## Remediation
### Patches
The vulnerability is addressed in the following versions released on October 3, 2025:
- Redis 6.2.20
- Redis 7.2.11
- Redis 7.4.6
- Redis 8.0.4
- Redis 8.2.2
### Workarounds
1. **ACL Restriction:** Prevent users from executing Lua scripts by setting an Access Control List (ACL) to strictly restrict the use of `EVAL` and `EVALSHA` commands.
2. **Authorization:** Ensure that only trusted identities or service accounts are permitted to run Lua scripts or any other potentially risky commands permitted by configuration.
3. **Exposure Control:** Crucially, ensure that Redis instances are *not* exposed directly to the internet and that strong authentication layers are in place, as exploitation requires prior authentication.
## Detection
- Indicators of Compromise: Anomalous shell execution or system calls originating from the Redis process, unexpected network connections initiated by the Redis service account, file system modifications, or deployment of cryptomining software.
- Detection methods and tools: Monitor network traffic patterns and command execution logs for excessive or unusual use of the `EVAL` or `EVALSHA` commands coming from authenticated clients. Forensic analysis should focus on memory artifacts related to Use-After-Free exploitation techniques.
## References
- Vendor Advisory: [redis.io/blog/security-advisory-cve-2025-49844/ (defanged)](https://redis.io/blog/security-advisory-cve-2025-49844/)
- GitHub Advisory: [github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q (defanged)](https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q)
- Research Blog: [wiz.io/blog/wiz-research-redis-rce-cve-2025-49844/ (defanged)](https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844/)