cbcvebase.
CVE-2025-49844
published 2025-10-03

CVE-2025-49844: Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script…

PriorityP196critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
86.77%
99.7th percentile
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
debianredict< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
debianredis< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
debianvalkey< redict 7.3.6+ds-1 (forky)redict 7.3.6+ds-1 (forky)
lfprojectsvalkey< 7.2.117.2.11
lfprojectsvalkey>= 0 < 8.1.1+dfsg1-3+deb13u18.1.1+dfsg1-3+deb13u1
lfprojectsvalkey>= 0 < 8.1.4+dfsg1-18.1.4+dfsg1-1
lfprojectsvalkey>= 0 < 7.2.11+dfsg1-0ubuntu0.27.2.11+dfsg1-0ubuntu0.2
lfprojectsvalkey>= 0 < 8.1.4+dfsg1-0ubuntu0.28.1.4+dfsg1-0ubuntu0.2
lfprojectsvalkey>= 8.0.0 < 8.0.68.0.6
lfprojectsvalkey>= 8.1.0 < 8.1.48.1.4
msrcazl3_ceph_18.2.2-10_on_azure_linux_3.0
msrcazl3_valkey_8.0.4-1_on_azure_linux_3.0
msrccbl2_ceph_16.2.10-9_on_cbl_mariner_2.0
msrccbl2_redis_6.2.18-3_on_cbl_mariner_2.0
paloaltopan-os
redisredis< 8.2.28.2.2
redisredis< 6.2.206.2.20
redisredis>= 0 < 5:6.0.16-1+deb11u85:6.0.16-1+deb11u8
redisredis>= 0 < 5:7.0.15-1~deb12u65:7.0.15-1~deb12u6
redisredis>= 0 < 5:8.0.2-3+deb13u15:8.0.2-3+deb13u1
redisredis>= 0 < 5:8.0.4-15:8.0.4-1
redisredis>= 7.0 < 7.2.117.2.11
redisredis>= 7.4.0 < 7.4.67.4.6
redisredis>= 8.0.0 < 8.0.48.0.4
redisredis>= 8.2.0 < 8.2.28.2.2

Detection & IOCsextracted from sources · hover to see the quote

commandEVAL (malicious Lua script)
commandEVALSHA (malicious Lua script)
  • Detect exploitation attempts by monitoring for EVAL/EVALSHA commands sent to Redis instances, especially from unauthenticated or unexpected sources — the exploit requires sending a specially crafted Lua script via these commands.
  • Check Point IPS signature 'Redis Use After Free (CVE-2025-49844)' is available for network-level detection of exploit attempts.
  • Flag Redis instances exposed to the internet with no authentication configured as highest-priority targets; approximately 60,000 such instances exist and are trivially exploitable without any credential requirement.
  • Monitor for reverse shell establishment originating from the Redis server process following EVAL/EVALSHA command execution, as successful exploitation establishes a reverse shell for persistent access.
  • Post-exploitation, watch for access to .ssh keys, IAM tokens, and certificates from the Redis process, as well as installation of cryptominers or malware on the Redis host.
  • Alert on Redis instances running as root; exploitation of CVE-2025-49844 on a root-running Redis process grants full host compromise immediately.
  • The vulnerability is already being abused by botnets and ransomware actors; correlate Redis exploitation indicators with known botnet C2 traffic patterns.
  • ·Lua scripting is enabled by default in Redis, meaning all default deployments are vulnerable without additional hardening. Disabling EVAL/EVALSHA via ACLs is a viable workaround if patching is not immediately possible.
  • ·The official Redis container image does not require authentication by default, meaning 57% of cloud environments deploying Redis as a container image may be unauthenticated and directly exploitable by any network-reachable attacker.
  • ·The vulnerability affects all Redis versions (including forks such as Valkey and managed services like Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis) due to its root cause in the underlying Lua interpreter.
  • ·Exploitation requires authenticated access to Redis, but the large number of unauthenticated internet-exposed instances (~60,000) effectively removes this barrier for a significant portion of the attack surface.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
vulncheck9.9CRITICAL
vendor_debian9.9CRITICAL
vendor_msrc9.9CRITICAL
vendor_oracle9.9CRITICAL
vendor_redhat9.9CRITICAL
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.