A maximum-severity security vulnerability in Redis's in-memory database software has been made public. RediShell, also known as CVE-2025-49844, is a vulnerability with a CVSS score of
10.0.
It could be used to exfiltrate sensitive data, drop malware, steal credentials, or switch to other cloud services in a hypothetical attack scenario. Approximately 60,000 of the 330,000 Redis instances that are currently online lack authentication. Redis versions 6.2.20, 7.2.11, 7.4.6, 8.4.4, and 8.2.2, which were released on October 3, 2025, have fixed the problem that affects all Redis versions.
Setting an access control list (ACL) to limit EVAL and EVALSHA commands is a recommended way to stop users from running Lua scripts. It's also important to ensure that only trusted identities can run Lua scripts or any other potentially dangerous commands. "This flaw allows a post auth attacker to send a specially crafted malicious Lua script to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host," stated Wiz.
The flaw was identified as a use-after-free (UAF) memory corruption bug that has been present in Redis source code for approximately 13 years. Wiz reported the flaw to Redis on May 16,
2025.