Use-After-Free Vulnerability in Redis Open Source Database
CVE-2025-49844
Key Information:
Badges
What is CVE-2025-49844?
CVE-2025-49844 is a use-after-free vulnerability found in the Redis open-source database, which is widely used for in-memory data storage and caching. This vulnerability allows authenticated users to exploit a flaw in the Lua scripting capability of Redis to manipulate its garbage collector. If successfully exploited, this can lead to remote code execution on the Redis server. This flaw exists in all versions up to 8.2.1 and poses a serious threat to organizations that utilize Redis, as it could allow attackers to execute malicious scripts on the server, ultimately compromising the integrity and confidentiality of stored data. To mitigate the risk, an immediate upgrade to version 8.2.2 is recommended, which addresses the vulnerability. Alternatively, organizations can limit the execution of Lua scripts through access control lists (ACLs) to temporarily alleviate the threat without applying the patch.
Potential impact of CVE-2025-49844
-
Remote Code Execution: Exploiting this vulnerability can enable attackers to run arbitrary code on the Redis server, potentially compromising the entire system and allowing them to control the underlying infrastructure.
-
Data Integrity and Confidentiality Risks: Through remote code execution, malicious actors could manipulate, steal, or delete sensitive data stored in Redis, resulting in significant data breaches and loss of trust.
-
Disruption of Services: Exploiting this vulnerability may lead to service downtime or degradation, as attackers can alter the operation of the Redis database, which can have cascading effects on applications that depend on its availability and performance.
Affected Version(s)
redis < 8.2.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Redis Critical Vulnerability Exposes over 60,000 Instances to RCE and Host Take Over - CPO Magazine
Security researchers at Wiz Research have discovered a critical vulnerability in the Redis in-memory database that could allow an attacker to gain remote code execution (RCE) capabilities and take over the host.
2 weeks ago
Week in review: Hackers extorting Salesforce, CentreStack 0-day exploited - Help Net Security
Hereโs an overview of some of last weekโs most interesting news, articles, interviews and videos: How to get better results from bug bounty programs
2 weeks ago
References
EPSS Score
6% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ฅ
Vulnerability reached the number 1 worldwide trending spot
- ๐
Vulnerability started trending
- ๐ก
Public PoC available
- ๐ฐ
Used in Ransomware
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved
