Redis Remote Code Execution Vulnerability (CVE-2025-49844)

Nov 05, 2025 GMT+08:00

I. Overview

Redis disclosed a remote code execution vulnerability (CVE-2025-49844). This vulnerability exploits a Use-After-Free (UAF) memory damage vulnerability in the Redis source code. An authenticated attacker can send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary code execution on the Redis host.

Redis is the most popular database. If you are a Redis user, check your Redis version and implement timely security hardening.

References:

https://nvd.nist.gov/vuln/detail/CVE-2025-49844

https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Redis < 6.2.20

Redis < 7.2.11

Redis < 7.4.6

Redis < 8.0.4

Redis < 8.2.2

Secure versions:

Redis >= 6.2.20

Redis >= 7.2.11

Redis >= 7.4.6

Redis >= 8.0.4

Redis >= 8.2.2

IV. Vulnerability Handling

1. This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/redis/redis/releases

2. Mitigation measures:

If the affected users cannot perform the upgrade in a timely manner, perform the following operations:

1) Restrict the execution of EVAL and EVALSHA commands for common users.

2) Configure a strong password or security group policy for Redis to ensure that Redis is accessible only to trusted IP addresses.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.