Use-After-Free Vulnerability in Redis Open Source Database
CVE-2025-49844

10CRITICAL

Key Information:

Vendor

Redis

Status
Redis
Vendor
CVE Published:
3 October 2025

What is CVE-2025-49844?

An issue has been identified in the Redis open-source database that impacts all versions with Lua scripting enabled. Authenticated users can exploit this vulnerability by executing specially crafted Lua scripts that manipulate the garbage collector. This can result in a use-after-free situation, potentially allowing for remote code execution. The problem affects Redis versions 8.2.1 and below. To mitigate this issue without immediate patching, users can restrict the execution of Lua scripts by implementing Access Control Lists (ACLs) to prevent the use of EVAL and EVALSHA commands. The vulnerability has been addressed in Redis version 8.2.2.

Affected Version(s)

redis < 8.2.2

References

https://github.com/redis/redis/security/advisories/GHSA-4...
x_refsource_CONFIRM
https://github.com/redis/redis/commit/d5728cb5795c966c5b5...
x_refsource_MISC
https://github.com/redis/redis/releases/tag/8.2.2
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-49844 : Use-After-Free Vulnerability in Redis Open Source Database