"Exploiting the so-called "RediShell" remote code execution vulnerability, an authenticated user can use a specially crafted script to manipulate the garbage collector, trigger a use-after-free, and potentially execute arbitrary code remotely. The vulnerability exploits a 13-year-old UAF memory corruption bug in Redis, allowing a post-auth attacker to send a crafted Lua script to escape the default Lua sandbox and execute arbitrary native code."
"This grants full host access, enabling data theft, wiping, encryption, resource hijacking, and lateral movement within cloud environments. Riaz Lakhani, CISO at Redis, warns: Exploitation of this vulnerability requires an attacker to first gain authenticated access to your Redis instance. There are several steps you can take to protect your Redis from being accessed by a malicious actor. In its security advisory, Redis recommends following security best practices, restricting network access with firewalls"
CVE-2025-49844 is a critical (CVSS 10.0) use-after-free vulnerability in Redis Lua scripting that permits authenticated users to execute arbitrary native code by escaping the Lua sandbox. Exploitation manipulates the garbage collector to trigger a UAF, enabling reverse shells, data exfiltration, malware installation, credential theft, and full host compromise. The flaw traces to a 13-year-old memory corruption bug and enables lateral movement in cloud environments via stolen IAM tokens. Recommended mitigations include upgrading to patched Redis/Valkey releases, restricting network access with firewalls and network policies, enforcing strong authentication, and limiting permissions to run Lua scripts.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]