CVE-2025-49844 – This CVE describes a critical vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-49844?

CVE-2025-49844 has a CVSS score of 9.9 (CRITICAL). This CVE describes a critical vulnerability in Redis where authenticated users can execute specially crafted Lua scripts to manipulate the garbage collector, triggering a use-after-free condition that could lead to remote code execution. All Redis versions with Lua scripting enabled are affected, specifically versions 8.2.1 and below. Organizations running vulnerable Redis instances with authenticated user access are at risk.

📋 TL;DR

This CVE describes a critical vulnerability in Redis where authenticated users can execute specially crafted Lua scripts to manipulate the garbage collector, triggering a use-after-free condition that could lead to remote code execution. All Redis versions with Lua scripting enabled are affected, specifically versions 8.2.1 and below. Organizations running vulnerable Redis instances with authenticated user access are at risk.

💻 Affected Systems

Products:

Redis

Versions: All versions up to and including 8.2.1

Operating Systems: All operating systems running Redis

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Lua scripting enabled (default) and authenticated user access to execute EVAL/EVALSHA commands.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with the privileges of the Redis process, potentially leading to complete system compromise, data theft, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to unauthorized access, data manipulation, or denial of service on the Redis server.

🟢

If Mitigated

Limited to denial of service if Lua scripting is disabled or access controls prevent exploitation.

🌐 Internet-Facing: HIGH - Internet-facing Redis instances with authenticated users are directly exploitable from anywhere.

🏢 Internal Only: HIGH - Internal Redis instances remain vulnerable to authenticated internal attackers or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and crafting of specific Lua scripts. No public proof-of-concept has been released at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.2

Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q

Restart Required: Yes

Instructions:

1. Download Redis 8.2.2 from the official repository. 2. Stop the Redis service. 3. Install the new version following Redis installation procedures. 4. Restart the Redis service.

🔧 Temporary Workarounds

Disable Lua Script Execution via ACL

all

Prevents users from executing EVAL and EVALSHA commands using Redis Access Control Lists.

ACL SETUSER <username> -@all +@read +@write -eval -evalsha

🧯 If You Can't Patch

Implement strict network segmentation to isolate Redis instances from untrusted networks.
Enforce strong authentication and limit user permissions to only necessary commands.

🔍 How to Verify

Check if Vulnerable:

Check Redis version with 'redis-server --version' or 'redis-cli INFO server | grep redis_version'. If version is 8.2.1 or lower, the system is vulnerable.

Check Version:

redis-server --version

Verify Fix Applied:

After patching, verify the version is 8.2.2 or higher using the same commands.

📡 Detection & Monitoring

Log Indicators:

Unusual EVAL or EVALSHA command patterns
Redis process crashes or abnormal termination

Network Indicators:

Suspicious Lua script payloads in Redis protocol traffic

SIEM Query:

source="redis" AND (command="EVAL" OR command="EVALSHA") AND user!="default"

📊 Metadata

CVE ID: CVE-2025-49844

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 15.12% exploit probability (94.4th percentile)

Published: October 3, 2025

Last Updated: November 12, 2025

🔗 References

https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539 Patch
https://github.com/redis/redis/releases/tag/8.2.2 Release Notes
https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/10/07/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49844, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Redis by Redis

Redis by Redis

Redis by Redis

Redis by Redis

Redis by Redis

Valkey by Lfprojects

Valkey by Lfprojects

Valkey by Lfprojects

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Lua Script Execution via ACL

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities