Redis patches critical “RediShell” RCE vulnerability, update ASAP! (CVE-2025-49844)

Redis, the company behind the widely used in-memory data structure store of the same name, has released patches for a critical vulnerability (CVE-2025-49844) that may allow attackers full access to the underlying host system.

“This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host,” Wiz researchers noted.

To make matters even worse, the official Redis container images have authentication disabled by default.

“Our analysis shows that 57% of cloud environments install Redis as an image. If not installed carefully, these instances may lack authentication entirely. The combination of no authentication and exposure to the internet is highly dangerous, allowing anyone to query the Redis instance and, specifically, send Lua scripts (…). This enables attackers to exploit the vulnerability and achieve RCE within the environment,” the researchers added.

About CVE-2025-49844

Dubbed RediShell by the Wiz researchers who found and reported it, CVE-2025-49844 stems from a use-after-free memory corruption bug that may allow attackers to manipulate Redis’ Garbage Collector via specially crafted Lua scripts.

Once a vulnerable Redis installation is breached and the underlying host is compromised, attackers may establish persistent access, install cryptominers or malware, exfiltrate sensitive data both from Redis and the host, compromise / steal credentials and use some of them (e.g., IAM tokens) to access other cloud services, Wiz researchers noted.

The vulnerable code was added to Redis’ codebase in 2012. Thus, CVE-2025-49844 affects Redis (server) versions that use Lua scripting: v8.2.1 and earlier.

The vulnerability has been fixed in:

• (Commercial, closed-source) Redis Software releases – 7.22.2-12 and higher, 7.8.6-207 and higher, 7.4.6-272 and higher, 7.2.4-138 and higher, 6.4.2-131 and higher
• Redis OSS/CE (open-source/Community Edition) releases with Lua scripting: 8.2.2 and higher, 8.0.4 and higher, 7.4.6 and higher, 7.2.11 and higher
• Redis Stack releases: 7.4.0-v7 and higher, 7.2.0-v19 and higher

Update or disable Lua scripting

Wiz researchers say that there are approximately 330,000 internet-exposed Redis instances out there, and about 60,000 of them have no authentication configured.

The German Federal Office for Information Security (BSI) has also released an alert about the flaw, noting that in Germany alone there are about 4,000 Redis servers esposed without authentication.

BSI pointed out that given the simplicity of the attack and the wide use of Redis, exploitation attempts are expected soon, especially once technical details become public.

Wiz has refrained from sharing technical details for now.

IT administrators have been advised to install updates immediately or, alternatively, to disable Lua scripting by using Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands.

Wiz researchers also advised hardening Redis installations by:

• Enabling authentication
• Disabling unnecessary commands
• Operating Redis with a non-root user account
• Activating Redis logging and monitoring to track activity and identify potential issues
• Implementing network-level access control, and
• Limiting access to Redis only from authorized networks.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!