394/68 Thursday, October 9, 2025
Redis, the developer of the popular in-memory database software, has disclosed a critical vulnerability tracked as CVE-2025-49844, also known as “RediShell.” The flaw, which received the maximum CVSS score of 10.0, is a Use-After-Free (UAF) issue in Redis’s Lua Scripting engine that has existed in the source code for over 13 years. It was discovered and reported by cloud security firm Wiz on May 16, 2025.
The vulnerability allows an attacker with authenticated access to a Redis instance to craft malicious Lua scripts that escape the Lua sandbox and execute native code directly on the host machine. Successful exploitation could lead to credential theft, malware deployment, exfiltration of sensitive data, or even lateral movement to other cloud services. Redis released patches on October 3, 2025, fixing the issue in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2.
Although no in-the-wild attacks have been observed so far, the risk remains high given the presence of over 330,000 Redis instances exposed online, including about 60,000 without authentication enabled. This makes the flaw a prime target for exploitation in cryptojacking, botnet campaigns, or other large-scale attacks.
Organizations running Redis are strongly advised to apply the patches immediately, enforce Access Control Lists (ACLs) to restrict dangerous commands such as EVAL/EVALSHA, and disable direct internet exposure to minimize potential damage.
Source https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html
