On October 3, 2025, Redis released updates for its Redis Software, and All Redis OSS/CE/Stack releases with Lua scripting, to address a critical vulnerability it rated with maximum severity.
The flaw, tracked as CVE-2025-49844, affects Redis versions with Lua scripting enabled, including Redis OSS, Redis Stack, and Redis Enterprise deployments. Lua scripting is a feature that uses the Lua programming language to run custom scripts inside Redis. Lua includes a built-in memory manager called a garbage collector, and the issue is caused by a bug in this component that allows authenticated users to execute malicious code remotely. Redis rated the flaw with a Common Vulnerability Scoring System (CVSS) score of 10.0 out of 10, while National Institute of Standards and Technology (NIST) assigned a score of 9.9.
As of October 6, 2025, there is no confirmed exploitation in the wild. To reduce exposure, Redis recommends upgrading to patched versions: OSS 8.2.2+, Stack 7.4.0-v7+, and Software 7.22.2-12+. Redis has stated that Redis Cloud service was upgraded with automatic fixes.
For environments where immediate patching is not feasible, researchers recommend a workaround to prevent users from executing Lua scripts, which would mitigate the problem. This can be done disabling Lua scripting using Access Control Lists (ACLs) to block EVAL and EVALSHA commands.
Analyst insight
Redis has been targeted in past campaigns due to its widespread use, high performance, and frequent misconfigurations. In previous incidents, attackers exploited unsecured Redis instances to deploy cryptocurrency miners, establish backdoors, or pivot into broader cloud environments.
CVE-2025-49844 is straightforward to exploit once local access is obtained, as the attack path does not involve advanced techniques or require user interaction.
In many Redis environments, particularly those exposed to internal networks or lacking strict access controls, authenticated access may be easier to obtain than anticipated. Redis open-source distributions do not enforce multi-factor authentication by default, and credentials are often less protected in development or staging configurations. The risk is elevated in deployments where Redis is exposed to the internet or lacks proper network segmentation and access restrictions.
Review Redis deployments for Lua scripting usage and authenticated access paths. Apply patches to production environments and monitor for unusual Lua script activity. Redis has published indicators of compromise and configuration guidance to support detection and hardening efforts.
Reducing exposure involves limiting network access to Redis instances, applying strong authentication controls, and minimizing user permissions. Disabling Lua scripting via ACL to block EVAL and EVALSHA commands is a recommended workaround where patching is delayed. Redis Cloud has already implemented mitigations across its infrastructure.