A newly discovered Redis security flaw, tracked as CVE-2025-49844, has been rated with the maximum severity score. The vulnerability enables remote code execution through Redis’s built-in Lua scripting engine. Redis has urged all administrators to patch their systems immediately.
How the Flaw Works
The bug stems from a use-after-free error in Redis’s Lua engine. Attackers who can execute Lua scripts may trigger memory corruption and break out of the sandbox. This access allows them to run arbitrary code on the host, install malware, or steal sensitive data.
Security researchers revealed that the flaw has existed for over 13 years, affecting every Redis version with Lua scripting enabled. This makes it one of the most far-reaching vulnerabilities in the platform’s history.
Scope of Exposure
Redis remains one of the most popular in-memory data stores across cloud environments. Analysts at Wiz discovered more than 330,000 exposed Redis instances, with around 60,000 lacking authentication entirely. Many of these servers are active in production environments, creating a vast attack surface.
The flaw received a CVSS score of 10.0, reflecting its critical risk. Unpatched servers are vulnerable to complete system compromise, data theft, and lateral movement within networks.
Recommended Mitigation
Administrators should take immediate steps to secure their Redis deployments:
- Update to the latest patched version.
- Require authentication on every instance.
- Disable Lua scripting if it is not essential.
- Run Redis as a non-root user to minimize damage from potential exploits.
- Restrict network access and monitor logs for suspicious activity.
These steps significantly reduce the risk of exploitation while Redis users apply the official fix.
Conclusion
The Redis security flaw CVE-2025-49844 highlights how long-standing code can create serious threats when overlooked. With hundreds of thousands of instances exposed, timely patching and strict configuration are crucial to prevent large-scale compromise.
0 responses to “Redis Security Flaw CVE-2025-49844 Threatens Global Infrastructure”