Redis warns major security flaw could be impacting thousands of instances - so patch now

News
By published

Critical vulnerability discovered in Redis source code

An abstract image of a cloud raining data.
(Image credit: Pixabay)
  • Redis patches CVE-2025-49844, a critical bug enabling remote code execution via Lua script abuse
  • Vulnerability had existed for 13 years; affects versions 8.2.1 and below, now fixed in 8.2.2
  • Over 60,000 exposed instances lack authentication; urgent updates and ACL restrictions are strongly advised

Redis, a popular open source data store, carried a critical vulnerability that allowed threat actors to execute malicious code remotely. It has been fixed in its newest version, which users are now urged to install.

Redis, short for Remote Dictionary Server, is an open source, in-memory data store used as a database, cache, and message broker for fast data access and real-time applications, used across a wide range of cloud environments.

A security advisory said that 13 years ago, a use-after-free vulnerability was introduced into the Redis source code. Authenticated actors can create a custom Lua script to trigger it, escape the Lua sandbox, and establish a reverse shell and remote code execution capabilities. In turn, this enables all sorts of malicious activity, from credential theft to malware infections, cryptojackers, data leaks, and more.

Thousands of vulnerable instances

The bug is tracked as CVE-2025-49844 and was given a severity score of 9.9/10 (critical). It was found in versions 8.2.1 and below and fixed in version 8.2.2.

Those who cannot upgrade to the newest version on time should prevent users from executing Lua scripts, which can be done using ACL to restrict EVAL and EVALSHA commands.

Citing security researchers Wiz, BleepingComputer also says there are around 330,000 Redis instances exposed online, with at least 60,000 of those being vulnerable since they do not require any authentication.

The actual number of vulnerable Redis instances is probably a lot higher than that, if we include weak credentials or devices already compromised through different vulnerabilities.

"The combination of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an urgent need for immediate remediation. Organizations must prioritize updating their Redis instances and implementing proper security controls to protect against exploitation," Wiz noted.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.