RediShell: Critical remote code execution vulnerability in Redis

Summary

Executive summaryWiz Research has uncovered a critical Remote Code Execution (RCE) vulnerability, CVE-2025-49844 which we've dubbed #RediShell, in the widely used Redis in-memory data structure store. The vulnerability has been assigned a CVSS score of 10.0 - the highest possible severity.The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host. This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.Given that Redis is used in an estimated 75% of cloud environments, the potential impact is extensive. Organizations are strongly urged to patch instances immediately by prioritizing those that are exposed to the internet.On October 3, Redis released a security advisory along with a patched version of Redis. We extend our gratitude to the entire Redis team for their collaboration throughout the disclosure process. We greatly appreciate their transparency, responsiveness, and partnership during this engagement.In this post, we will provide a high-level overview of our discovery and its implications. Given the prevalence and sensitivity of this vulnerability, we will defer some of the technical details to a future installment, omitting exploit information for now to allow impacted organizations sufficient time to address the vulnerability.Organizations utilizing Redis are strongly encouraged to update their Redis instances to the latest version immediately.Vulnerability Meets Ubiquity: The Redis Risk MultiplierThe newly disclosed RediShell (CVE-2025-49844) vulnerability in Redis has been assigned a CVSS score of 10.0 - a rating rarely ...