"The security flaw, tracked as CVE-2025-49844, affects all Redis versions with Lua scripting. It allows an authenticated attacker to send a malicious Lua script and manipulate the garbage collector - this is its memory management system intended to prevent memory leaks - and trigger a use-after-free that can potentially lead to remote code execution in the Redis server process."
"It's especially concerning because it has existed in Redis source code for 13 years, according to Wiz researchers Benny Isaacs and Nir Brakha, who discovered the security hole with Trend Micro's Zero Day Initiative (ZDI) bug hunters."
""Given that Redis is used in an estimated 75 percent of cloud environments, the potential impact is extensive," Isaacs and Brakha said in an alert shared with The Register and slated to publish Monday night. "Organizations are strongly urged to patch instances immediately by prioritizing those that are exposed to the internet.""
A critical vulnerability (CVE-2025-49844) in Redis Lua scripting enables an authenticated attacker to send malicious Lua code, manipulate the garbage collector, trigger a use-after-free, and potentially achieve remote code execution in the Redis server process. The issue has been present in Redis source code for 13 years and was discovered by Wiz researchers working with Trend Micro's ZDI. Redis Cloud has already been upgraded, but self-managed OSS, CE, Stack, and Software users must upgrade to the latest releases. Approximately 330,000 Redis instances remain internet-exposed and 60,000 instances lack authentication. Prioritize patching externally exposed instances and check for unauthorized access and unusual activity.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]