CRITICAL🇵🇱 Wersja polska

CVE-2025-49844

CVSS 9.9v3.1pub. 2025-10-03upd. 2026-03-20

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

🤖 AI Analysis
How it works

An attacker with access to an account (even with low privileges) can send a specially crafted Lua script that manipulates garbage collector behavior. This results in a use-after-free error (CWE-416) — a reference to already freed memory. A properly prepared exploit can allow takeover of the server process execution flow and execution of arbitrary code.

Impact

An attacker can achieve remote code execution (RCE) on the database server, potentially gaining full control over the host. Data leakage and modification of stored data are direct consequences of a successful attack.

Mitigation & patch

Redis should be updated to version 8.2.2, where the bug has been fixed. If immediate patching is not possible, a workaround can be applied: restrict users' ability to execute Lua scripts by using ACL lists — block EVAL and EVALSHA commands. For Valkey, patches from the vendor should be applied according to the references.

Who is affected

Redis versions 8.2.1 and lower (all versions with Lua scripting support enabled); Valkey (LFProjects) — versions indicated in the vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Lfprojects Valkey

    APP
    Lfprojects
    < 7.2.118.0.0 – 8.0.6 (bez)8.1.0 – 8.1.4 (bez)
  • Redis

    APP
    Redis
    8.0.0 – 8.0.4 (bez)< 6.2.208.2.0 – 8.2.2 (bez)7.0 – 7.2.11 (bez)7.4.0 – 7.4.6 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2022-0543CRITICAL10.0⚠ KEVten sam produkt

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debia...

CVE-2026-23479HIGH7.7ten sam produkt

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow do...

CVE-2026-25243HIGH7.7ten sam produkt

Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does ...

CVE-2025-67733HIGH8.5ten sam produkt

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious use...

CVE-2026-21863HIGH7.5ten sam produkt

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious act...