Detections
Analytics
CVE-2025-49844
critical
Description
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
References
https://docs.cloud.google.com/support/bulletins/index#gcp-2025-061
https://www.infosecurity-magazine.com/news/redis-servers-remote-exploitation/
https://www.darkreading.com/cloud-security/patch-now-redishell-redis-rce
https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html
https://hackread.com/13-year-old-redishell-vulnerability-redis-servers-risk/
Details
Published: 2025-10-03
Updated: 2025-10-16
Named Vulnerability: RediShell
Risk Information
CVSS v2
Base Score: 9
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C
Severity: High
CVSS v3
Base Score: 9.9
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: Critical
EPSS
EPSS: 0.00079
Vulnerability Watch
Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.
Vulnerability Being Monitored