Redis has revealed a critical security flaw in its in-memory database software that carries the maximum possible severity rating, potentially allowing remote code execution in certain conditions. The vulnerability, identified as CVE-2025-49844 and nicknamed “RediShell,” has been assigned a CVSS score of 10.0. 

According to Redis’ GitHub advisory, an authenticated user could exploit the issue by sending a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free condition, and execute arbitrary code. The flaw affects all versions of Redis that support Lua scripting. Because successful exploitation requires authenticated access, the risk is significantly higher for instances that are exposed to the internet or use weak authentication. 

Redis has issued patches in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, released on October 3, 2025. Until organizations can apply these updates, administrators are urged to mitigate exposure by restricting Lua script execution. This can be achieved by configuring access control lists (ACLs) to block the EVAL and EVALSHA commands and ensuring that only trusted identities have permission to execute scripts or other sensitive commands. 

The vulnerability was discovered and reported by cloud security firm Wiz on May 16, 2025, which described it as a use-after-free memory corruption flaw that had silently existed in Redis for roughly 13 years. It effectively allows a post-authentication attacker to escape the Lua sandbox and run arbitrary native code on the underlying host, providing full system access. In practical terms, a successful attack could enable data theft, malware installation, cryptojacking, or lateral movement across cloud environments. 

Although there is no evidence that the flaw has been exploited in the wild, Redis remains a frequent target for attackers due to its popularity and common misconfigurations. Current internet scans show around 330,000 Redis instances exposed online, with approximately 60,000 lacking any authentication, leaving them particularly vulnerable. 

What you should do: 

  • Update Redis immediately: Upgrade to the latest patched version. Prioritize any internet-exposed or unauthenticated instances.
Security hardening: 
  • Enable Redis Authentication: Use the requirepass directive. 
  • Disable unnecessary commands: This includes Lua scripting if it's not being used. You can achieve this by revoking user scripting permissions via Redis ACLs or by disabling scripting commands. 
  • Run with minimal privileges: Operate Redis using a non-root user account. 
  • Enable logging and monitoring: Activate Redis logging and monitoring to track activity and identify potential issues. 
  • Implement network-level access controls: Utilise firewalls and Virtual Private Clouds (VPCs). 
  • Restrict Redis access: Limit access to authorised networks only. 

 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

 

Contact Us