CVE-2025-49844 Overview
CVE-2025-49844 is a critical use-after-free vulnerability affecting Redis, the popular open-source in-memory database. This vulnerability exists in the Lua scripting engine integrated within Redis and affects versions 8.2.1 and below. An authenticated user can exploit this flaw by crafting a malicious Lua script that manipulates the garbage collector, triggering a use-after-free condition that can potentially lead to remote code execution on the affected server.
Critical Impact
Authenticated attackers can achieve remote code execution on Redis servers through specially crafted Lua scripts, potentially compromising the entire database infrastructure and any systems with access to the Redis instance.
Affected Products
- Redis versions 8.2.1 and below (all versions with Lua scripting support)
- LF Projects Valkey (Redis fork)
- Any application using embedded Redis with Lua scripting enabled
Discovery Timeline
- 2025-10-03 - CVE-2025-49844 published to NVD
- 2025-11-12 - Last updated in NVD database
Technical Details for CVE-2025-49844
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption issue that occurs when a program continues to reference memory after it has been freed. In the context of Redis, the vulnerability resides in the Lua parser component (deps/lua/src/lparser.c), specifically in how the luaY_parser function handles string objects during script parsing.
The root cause involves improper memory management when creating and using TString objects during Lua script compilation. The original code creates a new string object via luaS_new() and passes it directly to luaX_setinput() without properly anchoring it to the Lua stack. This creates a race condition where the garbage collector could free the string object while it's still being referenced, leading to a use-after-free condition.
Root Cause
The vulnerability stems from the Lua parser's failure to properly root a TString object to the Lua stack before use. When luaS_new(L, name) is called, it allocates a new string object, but without being pushed onto the stack, this object becomes eligible for garbage collection. If the garbage collector runs during subsequent operations (which a malicious script can trigger), the string may be freed while still referenced by the lexer state, creating a dangling pointer that attackers can exploit for code execution.
Attack Vector
The attack requires authenticated access to a Redis server with Lua scripting enabled. An attacker can:
- Connect to the Redis server with valid credentials
- Submit a specially crafted Lua script using EVAL or EVALSHA commands
- The script manipulates garbage collection timing to trigger the use-after-free
- Exploit the memory corruption to achieve arbitrary code execution
The network-accessible nature of Redis combined with the scope change capability makes this vulnerability particularly dangerous in multi-tenant or shared infrastructure environments.
// Security patch from deps/lua/src/lparser.c
// Source: https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539
struct LexState lexstate;
struct FuncState funcstate;
lexstate.buff = buff;
- luaX_setinput(L, &lexstate, z, luaS_new(L, name));
+ TString *tname = luaS_new(L, name);
+ setsvalue2s(L, L->top, tname);
+ incr_top(L);
+ luaX_setinput(L, &lexstate, z, tname);
open_func(&lexstate, &funcstate);
funcstate.f->is_vararg = VARARG_ISVARARG; /* main func. is always vararg */
luaX_next(&lexstate); /* read first token */
chunk(&lexstate);
check(&lexstate, TK_EOS);
close_func(&lexstate);
+ --L->top;
lua_assert(funcstate.prev == NULL);
lua_assert(funcstate.f->nups == 0);
lua_assert(lexstate.fs == NULL);
The fix properly anchors the TString object to the Lua stack using setsvalue2s() and incr_top() before passing it to luaX_setinput(), preventing garbage collection of the object during parser operations.
Detection Methods for CVE-2025-49844
Indicators of Compromise
- Unusual or malformed Lua scripts submitted via EVAL or EVALSHA commands
- Redis server crashes or unexpected restarts indicating memory corruption
- Anomalous garbage collection patterns in Redis logs
- Unauthorized processes spawned from the Redis server process
- Memory access violations or segmentation faults in Redis error logs
Detection Strategies
- Monitor Redis command logs for suspicious EVAL and EVALSHA commands, particularly those with complex garbage collection manipulation
- Implement network monitoring to detect unusual patterns of Lua script execution from unexpected sources
- Deploy runtime application self-protection (RASP) solutions to detect memory corruption attempts
- Use Redis's SLOWLOG to identify unusual script execution patterns
- Configure alerting for Redis process crashes or abnormal terminations
Monitoring Recommendations
- Enable Redis DEBUG logging temporarily during incident investigation to capture detailed command execution
- Implement host-based intrusion detection to monitor for suspicious child processes from Redis
- Deploy SentinelOne agents on Redis servers for real-time behavioral analysis and exploit detection
- Monitor system calls from the Redis process for indicators of successful exploitation
- Track memory allocation patterns for anomalies indicative of use-after-free exploitation
How to Mitigate CVE-2025-49844
Immediate Actions Required
- Upgrade Redis to version 8.2.2 or later immediately
- If immediate patching is not possible, implement ACL restrictions to block EVAL and EVALSHA commands
- Audit existing Lua scripts for potential malicious content
- Review Redis access logs to identify any suspicious scripting activity
- Ensure Redis authentication is enabled and credentials are strong
Patch Information
Redis has released version 8.2.2 which addresses this vulnerability. The patch properly anchors TString objects to the Lua stack during script parsing, preventing garbage collection from freeing objects while still in use.
- Fixed Version: Redis 8.2.2
- Patch Commit:GitHub Commit d5728cb5795c966c5b5b1e0f0ac576a7e69af539
- Security Advisory:GitHub Security Advisory GHSA-4789-qfc9-5f9q
- Release Notes:Redis 8.2.2 Release
Workarounds
- Disable Lua scripting by restricting EVAL and EVALSHA commands via Redis ACL configuration
- Limit network access to Redis servers using firewall rules to trusted IP addresses only
- Implement strong authentication and use Redis ACLs to restrict scripting permissions to trusted users only
- Consider running Redis in a containerized environment with restricted capabilities to limit exploitation impact
- Monitor for the availability of patches for LF Projects Valkey if using that Redis fork
# Redis ACL configuration to disable Lua scripting
# Add to redis.conf or use ACL SETUSER command
# Deny EVAL and EVALSHA commands for all users except admin
ACL SETUSER default -EVAL -EVALSHA
# For specific users, create restricted profiles
ACL SETUSER app_user on >strongpassword ~* +@all -EVAL -EVALSHA -EVALSHA_RO -EVAL_RO
# Verify ACL configuration
redis-cli ACL LIST
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
