Critical Redis Vulnerability (CVE-2025-49844) Allows Remote Code Execution with Maximum CVSS Score
By
mihau
A five-star bake. Worth schmearing, sharing, saving.
Summary
Wiz Research has discovered a critical remote code execution vulnerability (CVE-2025-49844, nicknamed #RediShell) in Redis, the widely used in-memory data structure store. The vulnerability has a maximum CVSS score of 10.0 and stems from a 13-year-old Use-After-Free memory corruption bug in the Redis source code. This flaw allows authenticated attackers to escape the Lua sandbox and execute arbitrary code on the host system. The vulnerability affects all Redis versions and is particularly concerning given Redis's deployment in 75% of cloud environments.
Key quotes
· 4 pulledWiz Research has uncovered a critical Remote Code Execution (RCE) vulnerability, CVE-2025-49844 which we've dubbed #RediShell, in the widely used Redis in-memory data structure store.
The vulnerability has been assigned a CVSS score of 10.0 - the highest possible severity.
The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code.
This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve remote code execution.
You might also wanna read
VS Code Remote-SSH Vulnerability Enables Lateral Movement from Developer Machines to Cloud Servers
A critical vulnerability in Visual Studio Code's Remote-SSH extension creates a post-compromise attack path enabling threat actors to pivot
cybersecuritynews.com·2d ago
GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery
GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m
The Verge·1mo ago