Recently, Redis officially released a security notice, disclosing a Lua Script Remote Code Execution Vulnerability (CVE-2025-49844). An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.

Redis is an open source, network supported, memory based, distributed, and optionally persistent key value pair storage database. If you are a Redis user, check your system and implement timely security hardening.

Reference:

https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q

https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539

critical

(Severity: low, medium, important, and critical)

Redis < 6.2.20

7.2.0 ≤ Redis < 7.2.11

7.4.0 ≤ Redis < 7.4.6

8.0.0 ≤ Redis < 8.0.4

8.2.0 ≤ Redis < 8.2.2

Redis >= 7.2.11

Redis >= 7.4.6

Redis >= 8.0.4

Redis >= 8.2.2

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://github.com/redis/redis/releases

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.

Get more professional support at any time

Contact Us