Use-After-Free Vulnerability in Redis Open Source Database
CVE-2025-49844

10CRITICAL

Key Information:

Vendor

Redis

Status
Vendor
CVE Published:
3 October 2025

Badges

๐Ÿ”ฅ Trending now๐Ÿฅ‡ Trended No. 1๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 13,300๐Ÿ’ฐ Ransomware๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐Ÿ“ฐ News Worthy

What is CVE-2025-49844?

CVE-2025-49844 is a use-after-free vulnerability found in the Redis open-source database, which is widely used for in-memory data storage and caching. This vulnerability allows authenticated users to exploit a flaw in the Lua scripting capability of Redis to manipulate its garbage collector. If successfully exploited, this can lead to remote code execution on the Redis server. This flaw exists in all versions up to 8.2.1 and poses a serious threat to organizations that utilize Redis, as it could allow attackers to execute malicious scripts on the server, ultimately compromising the integrity and confidentiality of stored data. To mitigate the risk, an immediate upgrade to version 8.2.2 is recommended, which addresses the vulnerability. Alternatively, organizations can limit the execution of Lua scripts through access control lists (ACLs) to temporarily alleviate the threat without applying the patch.

Potential impact of CVE-2025-49844

  1. Remote Code Execution: Exploiting this vulnerability can enable attackers to run arbitrary code on the Redis server, potentially compromising the entire system and allowing them to control the underlying infrastructure.

  2. Data Integrity and Confidentiality Risks: Through remote code execution, malicious actors could manipulate, steal, or delete sensitive data stored in Redis, resulting in significant data breaches and loss of trust.

  3. Disruption of Services: Exploiting this vulnerability may lead to service downtime or degradation, as attackers can alter the operation of the Redis database, which can have cascading effects on applications that depend on its availability and performance.

Affected Version(s)

redis < 8.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Redis Critical Vulnerability Exposes over 60,000 Instances to RCE and Host Take Over - CPO Magazine

Security researchers at Wiz Research have discovered a critical vulnerability in the Redis in-memory database that could allow an attacker to gain remote code execution (RCE) capabilities and take over the host.

2 weeks ago

Week in review: Hackers extorting Salesforce, CentreStack 0-day exploited - Help Net Security

Hereโ€™s an overview of some of last weekโ€™s most interesting news, articles, interviews and videos: How to get better results from bug bounty programs

2 weeks ago

References

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • ๐Ÿฅ‡

    Vulnerability reached the number 1 worldwide trending spot

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ’ฐ

    Used in Ransomware

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49844 : Use-After-Free Vulnerability in Redis Open Source Database