8.2.3
CVE-2025-49844 affects Redis versions 8.2.1 and earlier. This vulnerability allows an authenticated user to leverage specially crafted Lua scripts to manipulate the garbage collector, leading to a use-after-free condition. Successful exploitation can result in Remote Code Execution (RCE) on the Redis server. The vulnerability is fixed in version 8.2.2, and users are strongly advised to upgrade.
The impact of CVE-2025-49844 is severe due to the potential for Remote Code Execution. An attacker, having valid authentication credentials, could inject a malicious Lua script that manipulates Redis's garbage collection process. This manipulation can trigger a use-after-free error, allowing the attacker to overwrite memory and ultimately execute arbitrary code on the Redis server. The blast radius extends to any data stored within Redis, as an attacker could potentially read, modify, or delete sensitive information. Furthermore, if Redis is used as a caching layer or session store for other applications, a successful exploit could lead to lateral movement and compromise of those applications as well. This vulnerability shares similarities with other memory corruption vulnerabilities where crafted scripts can bypass security controls.
CVE-2025-49844 was published on 2025-10-03. The CVSS score is 10.0 (CRITICAL), indicating a high probability of exploitation. While no public Proof-of-Concept (POC) exploits have been publicly released as of this writing, the severity and ease of exploitation (requiring only authentication) suggest that it is likely to become a target for attackers. Monitor KEV and CISA advisories for updates regarding active exploitation campaigns. The vulnerability's reliance on Lua scripting makes it potentially attractive to attackers familiar with Redis internals.
漏洞利用状态
EPSS
12.43% (94% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-49844 is to upgrade to Redis version 8.2.2 or later, which contains the fix. If immediate patching is not possible, a workaround involves restricting user access to Lua scripting capabilities. This can be achieved by implementing Access Control Lists (ACLs) to deny the EVAL and EVALSHA commands. These commands are the primary vectors for executing malicious Lua scripts. Carefully review existing Lua scripts to ensure they are not vulnerable. After upgrading, confirm the fix by attempting to execute a known vulnerable Lua script and verifying that it is rejected or fails with an appropriate error message.
将 Redis 更新到 8.2.2 或更高版本。或者,可以使用 ACL 限制 EVAL 和 EVALSHA 命令的使用,以防止 Lua 脚本的执行。
漏洞分析和关键警报直接发送到您的邮箱。
It's a CRITICAL Remote Code Execution (RCE) vulnerability in Redis versions 8.2.1 and earlier, allowing authenticated users to execute code via malicious Lua scripts.
If you are running Redis versions 8.2.1 or earlier, you are vulnerable. Check your version and upgrade immediately.
Upgrade to Redis version 8.2.2 or later. As a temporary workaround, restrict Lua script execution using ACLs to deny EVAL and EVALSHA commands.
No public exploits are currently available, but the high CVSS score and ease of exploitation suggest it's a likely target.
Refer to the Redis security advisory and the NVD entry for CVE-2025-49844 for detailed information and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。