CVE-2025-49844

Critical CVSS: 9.9

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Vendor

Redis

Product

Redis

CWE

CWE-416

Yayın Tarihi

2025-10-03 20:15:32

Güncelleme

2026-03-20 14:16:14

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-416 Redis CRITICAL Redis 2025

Referanslar

https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539 https://github.com/redis/redis/releases/tag/8.2.2 https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q http://www.openwall.com/lists/oss-security/2025/10/07/2 https://github.com/lastvocher/redis-CVE-2025-49844

Benzer Kayıtlar

High

CVE-2025-62507

Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKD…

Medium

CVE-2025-46818

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user…

Medium

CVE-2025-46819

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user…

High

CVE-2025-46817

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user…

High

CVE-2025-48367

Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP p…

High

CVE-2025-32023

Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19,…