Critical Redis Lua Use-After-Free RCE Vulnerability Exploited

CVE-2025-49844 is a critical use-after-free vulnerability in the Redis Lua interpreter, affecting all versions up to 8.2.1. Authenticated attackers can exploit this flaw by sending a crafted EVAL command that manipulates the garbage collector, potentially leading to remote code execution. The vulnerability has a CVSS score of 10.0, indicating its severity. Affected systems include unencrypted Redis instances, with over 8,500 identified as vulnerable as of October 2025. The issue has been patched in version 8.2.2, and users are advised to restrict Lua script execution as a workaround. The vulnerability was first publicly disclosed in 2019, with a proof of concept released shortly after. Organizations using Redis are urged to apply the patch or implement access controls to mitigate risks.

Key Points: • CVE-2025-49844 is a critical RCE vulnerability in Redis Lua interpreter with CVSS 10.0. • Over 8,500 unencrypted Redis instances are vulnerable to exploitation. • The vulnerability can be mitigated by updating to version 8.2.2 or restricting Lua script execution.