Full Report
The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. [...]
Analysis Summary
# Vulnerability: Critical Redis Lua Use-After-Free Leading to RCE (RediShell)
## CVE Details
- CVE ID: CVE-2025-49844
- CVSS Score: 10.0 (Critical)
- CWE: Use-After-Free (CWE-416)
## Affected Systems
- Products: Redis Software (including OSS/CE/Stack releases with Lua scripting enabled)
- Versions: All Redis Software releases affecting Lua scripting functionality prior to patched versions.
- Configurations: Instances where Lua scripting is enabled (enabled by default). Exploitation requires the attacker to be **authenticated**.
## Vulnerability Description
This is a critical Use-After-Free (UAF) vulnerability residing in the Redis source code, rooted in the underlying Lua interpreter. Successful exploitation, achieved via a specially crafted Lua script submitted by an authenticated attacker, allows the attacker to escape the Lua sandbox. This escape leads to the triggering of the UAF condition, enabling the adversary to establish a reverse shell and achieve Remote Code Execution (RCE) on the targeted Redis host systems.
## Exploitation
- Status: PoC publicly demonstrated (dubbed 'RediShell' by Wiz researchers during Pwn2Own Berlin 2025).
- Complexity: Medium (Requires initial authenticated access to the Redis instance).
- Attack Vector: Network
- Impact: Confidentiality (Full access to host, data exfiltration), Integrity (Data wiping/modification, malware deployment), Availability (Resource hijacking, denial of service).
## Impact
- Confidentiality: High (Full access to the host system; data theft).
- Integrity: High (Ability to exfiltrate, wipe, or encrypt sensitive data; deploy malware).
- Availability: High (Resource hijacking, ability to facilitate lateral movement).
## Remediation
### Patches
Administrators must **immediately** apply security updates:
* **Redis Software:** 7.22.2-12 and above, 7.8.6-207 and above, 7.4.6-272 and above, 7.2.4-138 and above, 6.4.2-131 and above.
* **Redis OSS/CE:** 8.2.2 and above, 8.0.4 and above, 7.4.6 and above, 7.2.11 and above.
* **Redis Stack:** 7.4.0-v7 and above, 7.2.0-v19 and above.
### Workarounds
If immediate patching is not possible, implement the following temporary mitigations:
1. Enable authentication for all Redis instances.
2. Disable Lua scripting functionality (`LUA_SCRIPTING` configuration, if applicable).
3. Disable other unnecessary commands.
4. Run the Redis process using a non-root user account.
5. Limit network access to authorized networks only using firewalls or VPC controls.
6. Enable Redis logging and monitoring.
## Detection
- **Indicators of Compromise:** Unexplained reverse shell connections originating from the Redis process/host, unauthorized deployment of cryptominers (like Monero) or ransomware modules on the host system. Historical attacks involve malware like P2PInfect, Redigo, HeadCrab, and Migo seeking to exploit unpatched Redis servers.
- **Detection Methods and Tools:** Network monitoring for anomalous outbound connections from Redis processes, monitoring system binaries for unusual execution (e.g., shell spawning from the Redis user space), and signature or behavior-based detection for known Redis exploitation payloads (Lua scripts).
## References
- Vendor Advisory (Implied by the context of official patch releases).
- Wiz Research Report (Referenced regarding Pwn2Own Berlin finding).
- Related historical incidents (e.g., P2PInfect, HeadCrab, Migo malware attacks on Redis).