Redis Fixes 13-Year-Old CVSS 10.0 “RediShell” Bug Allowing Remote Code Execution
Maximum-Severity RCE in Redis
Redis has patched a 13-year-old remote code execution vulnerability (CVE-2025-49844), nicknamed “RediShell”, that affects all versions of its in-memory database software.
The flaw, rated CVSS 10.0, could allow authenticated attackers to execute arbitrary code on the host system through a malicious Lua script.
“An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution,” Redis stated in a GitHub advisory.
Discovery and Origin
The issue, a use-after-free (UAF) memory corruption, has existed in Redis’ Lua scripting component for over 13 years. It was discovered and reported by researchers from Wiz on May 16, 2025, and privately coordinated with Redis developers before public disclosure.
Because Lua scripting is enabled by default, any authenticated user can potentially escape the Lua sandbox and achieve native code execution on the underlying host.
This access could allow attackers to:
- Steal credentials and sensitive configuration files
- Deploy malware or ransomware
- Exfiltrate data from Redis memory or connected systems
- Pivot laterally within cloud or container environments
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Affected Versions and Fix
Redis has addressed the vulnerability in the following releases:
- 6.2.20
- 7.2.11
- 7.4.6
- 8.0.4
- 8.2.2
These patched versions were published on October 3, 2025. Users are urged to upgrade immediately to mitigate exploitation risk.
Temporary Workarounds
If an upgrade cannot be applied right away:
- Disable Lua execution via ACLs that block
EVALandEVALSHAcommands. - Limit script permissions to trusted users or services only.
- Ensure Redis instances are not internet-facing and are protected by strong authentication.
Redis recommends auditing ACL rules and removing default or unauthenticated accounts.
Exploitation Potential
Although no active exploitation has been confirmed, Redis instances remain a high-value target. Wiz identified roughly 330,000 internet-exposed Redis servers, with about 60,000 lacking authentication entirely.
“This flaw allows a post-auth attacker to send a specially crafted malicious Lua script to escape from the Lua sandbox and achieve arbitrary native code execution,” Wiz said. “This grants full host access, enabling data theft, wiping, encryption, or resource hijacking.”
Broader Impact
Redis servers are commonly exploited in cryptojacking, ransomware, and botnet operations. Given the ubiquity of Redis in cloud and DevOps environments, this 13-year-old flaw represents a serious exposure path until systems are patched.
Organizations should prioritize patching, enforce strict authentication, and monitor for Lua-related anomalies to mitigate potential exploitation.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Matrix Push C2 Emerges as Browser-Based C2 Platform Using Fake Notifications for Cross-Platform Attacks
Sneaky2FA Phishing Kit Adds Browser-in-the-Browser (BitB) to Steal Microsoft 365 Sessions
New ClickFix Campaign “EVALUSION” Deploys Amatera Stealer and NetSupport RAT
Maverick Malware Campaign Expands: WhatsApp-Propagated Banking Trojan Linked to Coyote
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
