Redis has released security updates to address CVE-2025-49844, a CVSS 10.0 vulnerability that has lingered in the codebase for roughly 13 years. The flaw stems from a use-after-free condition reachable through Lua scripting, which is enabled by default in Redis. Successful exploitation allows a sandbox escape and full remote code execution (RCE) on the host running Redis.
Technical analysis: use-after-free via Lua and attack vectors
The vulnerability can be triggered by an attacker with authenticated access to a Redis instance, who executes a specially crafted Lua script. By abusing the Lua scripting engine, the attacker can break out of the Lua sandbox and provoke a use-after-free—a memory safety bug where freed memory is accessed again, often enabling arbitrary code execution.
Researchers at Wiz, who dubbed the issue “RediShell”, demonstrated a working exploit at Pwn2Own Berlin in May 2025. They attribute the root cause to the underlying Lua interpreter behavior, which makes the issue broadly applicable across supported Redis versions where Lua scripting remains active.
While credentials are required in a default-secure setup, Wiz’s internet-wide scanning identified about 330,000 publicly reachable Redis instances, including at least 60,000 that accept connections without authentication. In such misconfigurations, barriers to exploitation are minimal, making rapid remediation essential.
Business impact: from data theft to lateral movement
Exploitation of CVE-2025-49844 can lead to credential theft, deployment of malware, and extraction of sensitive data from Redis memory and storage. With host-level RCE, attackers can establish reverse shells, persist on systems, and perform lateral movement across networks.
In cloud and containerized environments, Redis often underpins caching, session storage, and messaging. A compromised Redis host can become a pivot point for escalating privileges to containers, orchestration nodes, and adjacent services—amplifying operational and data risk.
Mitigation and response guidance for Redis environments
Patch priority and coverage
Apply the official Redis patches immediately, prioritizing internet-exposed instances and environments that handle sensitive data or elevated privileges. Extend updates to production, staging, and CI/CD infrastructure to eliminate alternative attack paths. Validate that Lua-related components are updated across all nodes.
Configuration hardening
Enable authentication and ACLs on all instances that lack them. Where feasible, disable Lua scripting on externally reachable nodes and remove unused features. Run Redis with least privilege (avoid root), restrict administrative commands, and enable detailed logging and audit trails.
Network controls and detection
Restrict network access to trusted segments: bind Redis to internal interfaces, place it behind firewalls and VPC security controls, and block unnecessary public exposure. Employ network segmentation and strict egress policies to reduce the blast radius of a potential compromise.
Enhance monitoring for anomalous Lua activity (for example, spikes in EVAL/EVALSHA calls), unexpected outbound connections indicative of reverse shells, and atypical administrative operations or memory-intensive behaviors. Integrate alerts into SIEM/SOAR workflows to accelerate triage and response.
Context and verification
The exploit, publicly showcased at Pwn2Own Berlin 2025, underscores that the issue affects a wide range of Redis versions due to the Lua interpreter. According to the researchers, it can grant full host access under realistic configurations, making prompt patching and configuration hygiene non-negotiable. Organizations should review Redis release notes and vendor advisories, and follow Wiz’s technical analysis where available, to validate exposure and remediation steps.
Organizations are advised to inventory all Redis instances, deploy patches without delay, remove unnecessary public access, and disable Lua on exposed nodes. Combining timely updates with sound configuration, network segmentation, and targeted detection substantially lowers the likelihood and impact of compromise while limiting opportunities for lateral movement.
