Redis Use-After-Free Vulnerability Enables Remote Code Execution

A critical security vulnerability has been discovered in Redis Server that allows authenticated attackers to achieve remote code execution through a use-after-free flaw in the Lua scripting engine.

Tracked as CVE-2025-49844, this issue affects all versions of Redis that support Lua scripting functionality, posing a significant risk to organizations relying on Redis for in-memory data storage.

Critical Memory Corruption Flaw Discovered

Security researchers from Wiz, including Benny Isaacs, Nir Brakha, and Sagi Tzadik, collaborating with Trend Micro’s Zero Day Initiative, identified this severe vulnerability that exploits Redis’s garbage collection mechanism.

The flaw arises from improper memory management in the Lua scripting implementation, where references to freed memory persist after the garbage collector reclaims the underlying structures.

By crafting malicious Lua scripts that manipulate garbage collection timings, attackers can trigger a use-after-free condition, gaining control over freed memory regions to execute arbitrary code with the privileges of the Redis server process.

The vulnerability’s impact is heightened by its simplicity of exploitation: attackers need only valid Redis credentials to trigger the flaw remotely over standard network connections.

Exploitation does not require additional user interaction or elevated privileges on the target system, and the attack complexity is rated as low.

Furthermore, the changed scope rating indicates the potential for compromised Redis processes to affect other resources within the same security boundary.

Attack Vector and Impact

Redis servers often expose the EVAL and EVALSHA commands to enable advanced scripting capabilities.

This vulnerability directly targets those commands, giving attackers a powerful foothold. With a CVSS 3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), CVE-2025-49844 is classified as Critical and demands immediate attention from administrators.

Should exploitation become widespread, organizations could face unauthorized data manipulation, theft of sensitive information, lateral movement within the network, and full system compromise.

As of now, an official patch remains in development (marked as “TBD”). In the interim, Redis administrators can implement immediate protective measures to mitigate risk.

The primary workaround involves leveraging Access Control Lists (ACLs) to restrict or disable the EVAL and EVALSHA commands, effectively preventing the execution of Lua scripts:

1. Review all Redis instances to identify users and roles granted EVAL or EVALSHA permissions.
2. Update ACL configurations to remove or limit scripting commands where possible.
3. Where Lua scripting is non-essential, disable it entirely to eliminate the attack vector.

Organizations should also audit network exposure of Redis servers, ensuring only trusted hosts can connect.

Deploying Redis behind firewalls, VPNs, or within secure internal networks will further reduce the likelihood of unauthorized access.

Longer-term remediation should include applying official patches once released and validating all Redis clusters through security testing.

Maintaining strict credential hygiene and rotating access keys regularly will minimize the chance of compromised credentials being used.

By promptly applying ACL restrictions and monitoring for indicators of compromise, organizations can defend against exploitation of this critical use-after-free vulnerability and maintain the integrity of their Redis deployments.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today