Plattform
redis
Komponente
redis
Behoben in
8.2.3
CVE-2025-49844 affects Redis versions 8.2.1 and earlier. This vulnerability allows an authenticated user to leverage specially crafted Lua scripts to manipulate the garbage collector, leading to a use-after-free condition. Successful exploitation can result in Remote Code Execution (RCE) on the Redis server. The vulnerability is fixed in version 8.2.2, and users are strongly advised to upgrade.
The impact of CVE-2025-49844 is severe due to the potential for Remote Code Execution. An attacker, having valid authentication credentials, could inject a malicious Lua script that manipulates Redis's garbage collection process. This manipulation can trigger a use-after-free error, allowing the attacker to overwrite memory and ultimately execute arbitrary code on the Redis server. The blast radius extends to any data stored within Redis, as an attacker could potentially read, modify, or delete sensitive information. Furthermore, if Redis is used as a caching layer or session store for other applications, a successful exploit could lead to lateral movement and compromise of those applications as well. This vulnerability shares similarities with other memory corruption vulnerabilities where crafted scripts can bypass security controls.
CVE-2025-49844 was published on 2025-10-03. The CVSS score is 10.0 (CRITICAL), indicating a high probability of exploitation. While no public Proof-of-Concept (POC) exploits have been publicly released as of this writing, the severity and ease of exploitation (requiring only authentication) suggest that it is likely to become a target for attackers. Monitor KEV and CISA advisories for updates regarding active exploitation campaigns. The vulnerability's reliance on Lua scripting makes it potentially attractive to attackers familiar with Redis internals.
Exploit-Status
EPSS
12.43% (94% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49844 is to upgrade to Redis version 8.2.2 or later, which contains the fix. If immediate patching is not possible, a workaround involves restricting user access to Lua scripting capabilities. This can be achieved by implementing Access Control Lists (ACLs) to deny the EVAL and EVALSHA commands. These commands are the primary vectors for executing malicious Lua scripts. Carefully review existing Lua scripts to ensure they are not vulnerable. After upgrading, confirm the fix by attempting to execute a known vulnerable Lua script and verifying that it is rejected or fails with an appropriate error message.
Aktualisieren Sie Redis auf Version 8.2.2 oder höher. Alternativ können Sie die Verwendung der Befehle EVAL und EVALSHA mithilfe von ACLs einschränken, um die Ausführung von Lua-Skripten zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a CRITICAL Remote Code Execution (RCE) vulnerability in Redis versions 8.2.1 and earlier, allowing authenticated users to execute code via malicious Lua scripts.
If you are running Redis versions 8.2.1 or earlier, you are vulnerable. Check your version and upgrade immediately.
Upgrade to Redis version 8.2.2 or later. As a temporary workaround, restrict Lua script execution using ACLs to deny EVAL and EVALSHA commands.
No public exploits are currently available, but the high CVSS score and ease of exploitation suggest it's a likely target.
Refer to the Redis security advisory and the NVD entry for CVE-2025-49844 for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.