Redis Critical Remote Code Execution Vulnerability Discovered After 13 Years

Redis Critical Remote Code Execution Vulnerability Discovered After 13 Years

Redis, a widely used in-memory data structure store, has disclosed a critical security vulnerability (CVE-2025-49844) with a CVSS score of 10.0. This use-after-free (UAF) memory corruption flaw in Redis and Valkey’s Lua scripting engine allows authenticated attackers to execute arbitrary code on affected systems. The vulnerability, dubbed “RediShell,” has been present for 13 years and was reported by Wiz researchers. Immediate action is required to patch systems and mitigate risks.

---

Key Details of the Vulnerability

• CVE Identifier: CVE-2025-49844
• CVSS Score: 10.0 (Critical)
• Vulnerability Type: Use-after-free (UAF) in Lua scripting
• Exploitation Vector: Authenticated attacker sends a malicious Lua script to trigger the UAF and escape the Lua sandbox
• Impact: Full host access, enabling data exfiltration, system compromise, and lateral movement in cloud environments
• Affected Systems:
  • Redis versions prior to 7.22.2-20, 7.8.6-207, 7.4.6-272, 7.2.4-138, or 6.4.2-131
  • Valkey versions prior to 7.2.11, 8.0.6, or 8.1.4

---

Exploitation Process

1. Authentication Bypass: Attackers first gain access to a Redis/Valkey instance (often due to misconfigured authentication or exposed networks).
2. Crafted Lua Script: A malicious script is sent to exploit the UAF vulnerability, manipulating the garbage collector to free memory and reuse it for arbitrary code execution.
3. Sandbox Escape: The script escapes the Lua sandbox, allowing execution of native code on the host system.
4. Post-Exploitation: Attackers can establish a reverse shell, steal credentials, deploy malware, or leverage stolen IAM tokens to move laterally in cloud environments.

---

Impact and Risk Assessment

• Widespread Usage: Redis is used in 75% of cloud environments, making the vulnerability a high-priority threat.
• Exposed Instances:
  • 330,000 Redis instances are exposed to the internet.
  • 60,000+ instances lack authentication.
  • 57% of cloud environments use Redis as container images without proper hardening.
• Potential Consequences:
  • Data theft, system compromise, and ransomware attacks.
  • Lateral movement in cloud environments via stolen IAM tokens.
  • Long-term persistence through reverse shells.

---

Mitigation Strategies

• Immediate Patching:
  • Upgrade to Redis 7.22.2-20+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, or 6.4.2-131+.
  • Upgrade Valkey to 7.2.11, 8.0.6, or 8.1.4.
• Security Best Practices:
  • Restrict network access using firewalls and network policies.
  • Enforce strong authentication (e.g., passwords for Valkey nodes).
  • Limit permissions to trusted identities for Lua scripts and risky commands.
  • Audit configurations for exposed instances and misconfigured authentication.

---

Expert Insights and Recommendations

• Riaz Lakhani (CISO, Redis):

  • Emphasizes the need for authenticated access control and network segmentation to prevent exploitation.

• Khawaja Shams (CEO, Momento):

  • Highlights the criticality of enabling authentication even for internal VPC clusters.

• Matthias Endler (Rust Consultant):

  • Notes that C’s memory safety risks (e.g., UAF) persist despite expert development, underscoring the need for safer languages in critical systems.

---

Conclusion

The Redis/Valkey vulnerability underscores the importance of proactive security measures, including timely patching, strict access controls, and continuous monitoring. While no exploitation has been confirmed, the scale of exposed instances and the critical nature of the flaw demand immediate attention from developers and DevOps teams.

---

Reference: Redis Critical Remote Code Execution Vulnerability Discovered After 13 Years