"described it as a use-after-free (UAF) memory corruption bug that has existed in the Redis source code for about 13 years. It essentially permits an attacker to send a malicious Lua script that leads to arbitrary code execution outside of the Redis Lua interpreter sandbox, granting them unauthorized access to the underlying host. In a hypothetical attack scenario, it can be leveraged to steal credentials, drop malware, exfiltrate sensitive data, or pivot to other cloud services."
""An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution," according to a GitHub advisory for the issue. "The problem exists in all versions of Redis with Lua scripting. However, for exploitation to be successful, it requires an attacker to first gain authenticated access to a Redis instance, making it crucial that users don't leave their Redis instances exposed to the internet and secure them with strong authentication.""
CVE-2025-49844 (RediShell) is a maximum-severity Redis vulnerability that enables remote code execution via specially crafted Lua scripts. An authenticated user can manipulate the garbage collector to trigger a use-after-free and escape the Redis Lua interpreter sandbox, allowing arbitrary code execution on the host. The flaw affects all Redis versions with Lua scripting and carries a CVSS score of 10.0. Exploitation requires prior authenticated access, so instances must not be exposed publicly and should use strong authentication. Patches were released on October 3, 2025; temporary mitigations include ACL restrictions on EVAL and EVALSHA and limiting Lua execution to trusted identities.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]