A critical vulnerability has been identified in multiple Redis products, assigned CVE-2025-49844 with a CVSS score of 9.9. This flaw allows an authenticated attacker to execute a specially crafted Lua script, leading to memory corruption which could result in a complete system compromise. Successful exploitation could allow an attacker to take full control of the affected database server, leading to data theft, service disruption, and further network intrusion.

This vulnerability exists within the Lua scripting engine of Redis. An authenticated attacker can submit a malicious Lua script using commands such as EVAL. This script is crafted to improperly interact with the garbage collection mechanism, leading to a memory corruption condition like a use-after-free or heap overflow. By carefully manipulating memory, the attacker can overwrite critical data structures, ultimately allowing for arbitrary code execution in the context of the Redis server process.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Exploitation of this flaw could have a devastating impact on business operations. A successful attack could lead to the complete compromise of the Redis server, granting the adversary the ability to read, modify, or delete all data stored within the in-memory database, which often contains sensitive session, cache, or application data. The consequences include severe data breaches, application downtime, and the potential for the compromised server to be used as a pivot point to launch further attacks against the internal network.

Immediate Action: The primary remediation is to upgrade all affected instances to a patched version. Prioritize patching for all internet-facing or critical Redis servers immediately. Consult the official vendor advisory for the latest secure version and follow standard patching procedures.

Proactive Monitoring: Security teams should actively monitor for signs of attempted exploitation. This includes reviewing Redis logs for unusual or obfuscated Lua scripts being executed via the EVAL or EVALSHA commands. Monitor system-level logs for unexpected crashes or restarts of the Redis process, and monitor network traffic for any anomalous outbound connections originating from Redis servers.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict network access to Redis instances to only trusted application hosts using strict firewall rules.
• If Lua scripting is not required for business operations, consider disabling it by renaming the EVAL and EVALSHA commands in the Redis configuration file.
• Ensure strong, unique passwords are used for Redis authentication and limit the privileges of the connected users where possible.

Public Exploit Available: false

Given the critical severity (CVSS 9.9) of this vulnerability, immediate action is required. All organizations utilizing affected Redis versions must prioritize applying the security updates provided by the vendor. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact makes it a likely candidate for future inclusion. Due to the high risk of complete system compromise, this vulnerability poses a clear and present danger to the security of the organization.