Use-After-Free Vulnerability in Redis Open Source Database
CVE-2025-49844
10CRITICAL
What is CVE-2025-49844?
An issue has been identified in the Redis open-source database that impacts all versions with Lua scripting enabled. Authenticated users can exploit this vulnerability by executing specially crafted Lua scripts that manipulate the garbage collector. This can result in a use-after-free situation, potentially allowing for remote code execution. The problem affects Redis versions 8.2.1 and below. To mitigate this issue without immediate patching, users can restrict the execution of Lua scripts by implementing Access Control Lists (ACLs) to prevent the use of EVAL and EVALSHA commands. The vulnerability has been addressed in Redis version 8.2.2.
Affected Version(s)
redis < 8.2.2