- Redis Patches CVE-2025-49844, a critical error that enables the performance of remote code via Lua-script abuse
- Vulnerability had been around for 13 years; affects versions 8.2.1 and below, now attached in 8.2.2
- Over 60,000 vulnerable cases lack approval; Urgent updates and ACL limits are strongly advised
Redis, a popular open source data, had a critical vulnerability that allowed threat actors to perform malicious code externally. It has been corrected in its latest version, which users are now encouraged to install.
Redis, abbreviated to Remote Dictionary Server, is an open source, memory database, used as a database, cache and message broker for fast data access and real -time applications used across a variety of sky environments.
A security advice said that 13 years ago a utility-free vulnerability was introduced in the redis source code. Authentified actors can create a custom lua script to trigger it, escape the Lua sandbox and establish a reverse shell and remote code execution features. On the other hand, this enables all sorts of malicious activities, from identification theft to malware infections, crypto jackers, data leaks and more.
Thousands of vulnerable cases
The error is traced as CVE-2025-49844 and got a severity of 9.9/10 (critical). It was found in versions 8.2.1 and below and fixed in version 8.2.2.
Those who cannot upgrade to the latest version on time should prevent users from performing LUA scripts that can be performed using ACL to limit evaluation and evaluation commands.
Quoting security scientists wiz, Bleeping computer Also says that there are about 330,000 Redis deposits exposed online with at least 60,000 of those who are vulnerable as they require no approval.
The actual number of vulnerable redis deposits are probably much higher than that if we include weak credentials or units that are already compromised through various vulnerabilities.
“The combination of widespread implementation, standard uncertain configurations and the severity of the vulnerability creates an urgent need for immediate remedy. Organizations must prioritize updating their Redis defumers and implement correct security checks to protect against exploitation,” noted Wiz.
Via Bleeping computer
