CVE-2025-49844 - Critical Redis Lua Bug Allows Remote Code Execution – What You Need to Know

Redis is one of the most popular open-source, in-memory databases, prized for its blazing speed and flexible data structures. But sometimes power comes with risk, and the recent disclosure of CVE-2025-49844 shakes the Redis ecosystem. This long-read covers everything you need to know about the vulnerability — from the technical roots to the simple steps you can take right now to protect your environments.

The Vulnerability at a Glance

CVE-2025-49844 is a newly revealed security flaw affecting all Redis versions up to 8.2.1. It exists within the way Redis executes Lua scripts, and may allow an attacker who’s authenticated to trigger a use-after-free situation. In practical terms, this means it’s possible for someone to hijack application memory, and—under some conditions—achieve remote code execution (RCE).

Which Versions Are Vulnerable?

* All Redis versions with Lua scripting
* Up to and including Redis 8.2.1

The bug is fixed in Redis 8.2.2 — so update now if you can!

What is Lua Scripting in Redis?

Redis supports Lua scripting to enable complex database operations within the server, avoiding roundtrips from the client. Lua scripts are executed via the EVAL and EVALSHA commands.

Example Lua script in Redis (safe use)

127...1:6379> EVAL "return 'hello from Lua'" 
"hello from Lua"

The Nitty-Gritty: Exploiting the Garbage Collector

At the heart of CVE-2025-49844 is how Redis integrates the Lua engine’s garbage collector (GC). Lua, like many other scripting languages, manages memory automatically with its own garbage collector.

Bad actors discovered they could write specially crafted Lua scripts that trick the garbage collector into “cleaning up” (freeing) some objects that are still in use. Later, when Redis or the embedded Lua runtime tries to use those objects, the result is a classic use-after-free bug. With careful exploitation, this can be leveraged to cause the execution of arbitrary code—potentially letting an attacker take full control of your Redis server.

Technical Details (Simplified)

Suppose an authenticated attacker submits a Lua script that looks roughly like this (simplified example):

local data = {}
for i = 1, 100000 do
  data[i] = tostring(i)
end
-- Trigger lots of operations to manipulate GC
collectgarbage()
-- More tricky moves here...

The attacker can craft much more complex Lua scripts, manipulating the memory in such a way that when collectgarbage() is called at the right time, it frees memory that's still in active use by the Redis server.

Trigger the use-after-free, causing server memory corruption.

4. Leverage the corrupted memory to gain code execution, potentially deploying malware, crypto miners, or using your Redis host as a pivot for further attacks.

Important: Proof-of-concept exploit code has been seen in private security circles, but is not publicly available at this time (as of June 2024). Please see official references for details.

Official References and Announcements

* Redis CVE Announcements
* CVE-2025-49844 on Mitre
* Redis Documentation – Lua Scripting

1. Update Redis Immediately

Best Fix: Upgrade to Redis 8.2.2+, which solves the bug at the source. Download from the official Redis repository.

2. Restrict Lua Scripting If You Can't Update

If you can't patch right away, block use of Lua scripting using Redis's Access Control List (ACL) system. ACLs allow you to prevent users (even authenticated ones) from running dangerous commands.

Here’s how to do it

# Connect to redis-cli as an admin
# Remove EVAL/EVALSHA from default user

127...1:6379> ACL SETUSER default -EVAL -EVALSHA

# Or, for specific users:
127...1:6379> ACL SETUSER myuser -EVAL -EVALSHA

This disables Lua execution for those users, closing the attack vector.

Final Thoughts

CVE-2025-49844 is a serious bug, but with a quick patch or simple command restrictions, you can neutralize this threat. If you run Redis in production—especially if it's publicly accessible or on shared infrastructure—move quickly. With millions depending on Redis daily, the community’s rapid response makes all the difference.

Further Reading

- Official Redis Security Notes
- Common Redis Security Mistakes
- Lua Official Website


*This post is an exclusive, plain-English explanation of the newly discovered Redis Lua vulnerability. Please share responsibly!*

Timeline

Published on: 10/03/2025 20:15:32 UTC
Last modified on: 11/12/2025 11:34:21 UTC