CVE-2025-49844 Overview
CVE-2025-49844 is a use-after-free vulnerability in Redis affecting versions 8.2.1 and below. An authenticated user can submit a specially crafted Lua script that manipulates the embedded Lua interpreter's garbage collector. The manipulation triggers a use-after-free condition that attackers can leverage for remote code execution on the Redis server. The flaw exists in all Redis versions with Lua scripting enabled and is tracked under [CWE-416]. Redis released version 8.2.2 to address the issue. The Valkey fork (lfprojects:valkey) is also affected because it shares the same Lua scripting code paths.
Critical Impact
Authenticated attackers with access to EVAL or EVALSHA commands can achieve remote code execution on Redis servers running versions 8.2.1 or earlier.
Affected Products
- Redis versions 8.2.1 and below (all versions with Lua scripting)
- Valkey (LF Projects fork sharing the affected Lua code paths)
- Redis fixed in version 8.2.2
Discovery Timeline
- 2025-10-03 - CVE-2025-49844 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2025-49844
Vulnerability Analysis
The vulnerability resides in Redis's embedded Lua interpreter. Redis exposes the EVAL and EVALSHA commands to allow server-side scripting in Lua. An authenticated client can craft a Lua script that interacts with the Lua garbage collector in a way that frees an object still referenced by the parser. Subsequent use of that freed memory enables attackers to corrupt interpreter state and redirect control flow within the redis-server process. Because Redis typically runs as a long-lived service with access to data, network sockets, and often privileged file paths, code execution within its address space is equivalent to full server compromise. The vulnerability is mapped to [CWE-416] Use After Free.
Root Cause
The root cause is in deps/lua/src/lparser.c. When parsing a Lua chunk, the function luaY_parser calls luaS_new to create a TString for the chunk name, then passes it directly to luaX_setinput without anchoring it on the Lua stack. The garbage collector can free the unreferenced string during parsing, leaving the lexer with a dangling pointer to a freed TString. A crafted script that triggers GC activity during parsing produces a use-after-free.
Attack Vector
Exploitation requires an authenticated session with permission to run Lua scripts. The attacker connects to the Redis instance over the network and issues an EVAL or EVALSHA command carrying the malicious script. No user interaction is required, and exploitation crosses a privilege boundary because the resulting code execution runs with the privileges of the redis-server process.
struct LexState lexstate;
struct FuncState funcstate;
lexstate.buff = buff;
- luaX_setinput(L, &lexstate, z, luaS_new(L, name));
+ TString *tname = luaS_new(L, name);
+ setsvalue2s(L, L->top, tname);
+ incr_top(L);
+ luaX_setinput(L, &lexstate, z, tname);
open_func(&lexstate, &funcstate);
funcstate.f->is_vararg = VARARG_ISVARARG; /* main func. is always vararg */
luaX_next(&lexstate); /* read first token */
chunk(&lexstate);
check(&lexstate, TK_EOS);
close_func(&lexstate);
+ --L->top;
lua_assert(funcstate.prev == NULL);
lua_assert(funcstate.f->nups == 0);
lua_assert(lexstate.fs == NULL);
Source: Redis security patch commit d5728cb. The fix anchors the new TString on the Lua stack before invoking the lexer, preventing the garbage collector from reclaiming it during parsing.
Detection Methods for CVE-2025-49844
Indicators of Compromise
- Unexpected EVAL or EVALSHA commands from clients that do not normally use Lua scripting.
- Redis server crashes, segmentation faults, or restarts shortly after script execution recorded in the Redis log.
- New child processes, outbound network connections, or shell activity originating from the redis-server process.
- Modifications to Redis configuration, ACL definitions, or new keys containing payload-like data following script execution.
Detection Strategies
- Inspect Redis logs and MONITOR output for EVAL/EVALSHA commands carrying unusually long or obfuscated Lua bodies.
- Correlate Redis process anomalies (crashes, child process creation, memory spikes) with script execution events using endpoint and host telemetry.
- Enumerate Redis instances on the network and verify versions against INFO server; flag any reporting redis_version at or below 8.2.1.
Monitoring Recommendations
- Forward Redis slow log, MONITOR capture, and ACL log events to a central SIEM for command-level visibility.
- Alert on redis-server spawning unexpected child processes such as sh, bash, python, or curl.
- Monitor egress connections from hosts running Redis for traffic to unfamiliar destinations following script activity.
How to Mitigate CVE-2025-49844
Immediate Actions Required
- Upgrade Redis to version 8.2.2 or later on all affected instances.
- For Valkey deployments, apply the equivalent upstream fix from the project's security advisory.
- Audit Redis ACLs and remove EVAL and EVALSHA permissions from any user that does not require Lua scripting.
- Ensure Redis is not exposed to untrusted networks and that requirepass or ACL authentication is enforced.
Patch Information
The fix is included in Redis release 8.2.2 and committed in commit d5728cb. Additional context is available in the GitHub Security Advisory GHSA-4789-qfc9-5f9q and the OpenWall oss-security discussion. A public proof-of-concept exists at the lastvocher/redis-CVE-2025-49844 repository.
Workarounds
- Disable Lua scripting access by using Redis ACLs to deny EVAL, EVALSHA, EVAL_RO, EVALSHA_RO, FCALL, and FUNCTION commands for all users.
- Restrict network exposure of Redis to trusted application hosts only via firewall rules or service mesh policies.
- Run Redis as a non-privileged user inside a hardened container or systemd unit with NoNewPrivileges, seccomp, and read-only file systems to limit blast radius.
# Restrict Lua scripting via Redis ACL (apply per user)
redis-cli ACL SETUSER default -eval -evalsha -eval_ro -evalsha_ro -fcall -fcall_ro -function
# Verify Redis version after upgrade
redis-cli INFO server | grep redis_version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
