07.10.2025
2 min
612
A critical vulnerability CVE-2025-49844, known as *RediShell*, has been found in the popular database system Redis. It has received the maximum severity rating of CVSS 10.0 and allows attackers to execute remote code through a vulnerability in the Lua scripting engine used in all versions of Redis.
Experts from Wiz, who discovered the problem, explain: an attacker with authorized access to Redis can run a specially crafted Lua script that manipulates the *garbage collector* and causes use-after-free — a vulnerability that allows arbitrary code to be executed outside the protected environment.
A successful attack could lead to credential theft, malware installation, export of sensitive data, or even access to other cloud services.
Redis has confirmed that the issue affects all previous versions and has released fixes in builds 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2.
Until the update is installed, developers are advised to prevent Lua scripts from executing and restrict the EVAL and EVALSHA commands via ACL settings, allowing them only to verified users.
This vulnerability has existed in the Redis code for over 13 years and has remained undetected. Although there are currently no confirmed cases of exploitation in real-world attacks, experts emphasize that Redis is an attractive target for cryptojacking and botnet creation.
Researchers estimate that there are about 330,000 Redis instances exposed online, of which 60,000 are not authenticated at all. This poses a potential risk to companies across all industries, especially in cloud environments.
The *RediShell* vulnerability demonstrates how dangerous long-standing flaws in popular tools can be. Even a single bug in the Lua engine can open the way for a large-scale breach. Experts urge administrators to immediately update Redis and review access policies, as the combination of high prevalence and maximum criticality makes this bug one of the most serious risks of 2025.
