Introduction
Remote code execution through authenticated Lua scripts in Redis can lead to full compromise of in-memory data, session tokens, and application state. CVE-2025-49844 is a critical vulnerability affecting all Redis deployments with Lua scripting enabled up to version 8.2.1, allowing attackers with script execution privileges to exploit a use-after-free condition and run arbitrary code on the server.
Redis is a widely adopted open source in-memory data store, powering caching, session management, and analytics for thousands of organizations globally. Its Lua scripting engine enables atomic server-side logic, but also introduces complex memory management challenges that have led to several high-impact vulnerabilities.
Technical Information
CVE-2025-49844 is a use-after-free vulnerability in the Lua scripting subsystem of Redis. The flaw resides in the interaction between the Lua virtual machine's garbage collector and Redis's script execution logic. Authenticated users with access to the EVAL
or EVALSHA
commands can submit specially crafted Lua scripts that manipulate object references and the timing of garbage collection cycles. By doing so, a script can cause the garbage collector to free memory still referenced by active objects.
When freed memory is subsequently reused by the Lua VM or Redis, this can result in memory corruption. In practice, attackers can leverage this to achieve remote code execution within the Redis server process. The root cause is insufficient validation of object liveness during garbage collection, allowing scripts to trigger premature deallocation and unsafe reuse of memory.
All Redis versions supporting Lua scripting up to and including 8.2.1 are affected. The vulnerability is present regardless of deployment configuration as long as Lua scripting is enabled and accessible to authenticated users.
Patch Information
To address the critical vulnerability identified as CVE-2025-49844, Redis has implemented a comprehensive patch that fortifies the Lua scripting engine against potential exploitation. This vulnerability, rated with a CVSS score of 10.0, involves a use-after-free scenario within the Lua garbage collector, which could be manipulated by an authenticated user to execute arbitrary code remotely.
The patch introduces several key modifications to enhance memory management and prevent unauthorized memory access:
-
Enhanced Garbage Collection Mechanism: The Lua garbage collector has been refined to include additional checks that detect and prevent premature deallocation of memory objects still in use. This change ensures that memory is only freed when it is no longer accessible by any part of the program.
-
Memory Access Validation: Additional validation steps have been incorporated to verify the integrity of memory references during Lua script execution. These checks help identify and block attempts to access memory that has been freed or is outside the allocated bounds.
-
Strict Script Execution Controls: The patch enforces stricter controls over Lua script execution, limiting the ability of scripts to manipulate internal memory structures. This measure reduces the risk of scripts performing operations that could lead to memory corruption.
-
Updated Lua API Usage: The Redis codebase has been updated to utilize safer Lua API functions that inherently perform boundary checks and manage memory more securely. This update minimizes the risk of introducing vulnerabilities through API misuse.
By integrating these enhancements, the patch effectively mitigates the risk associated with CVE-2025-49844, ensuring that Redis instances are safeguarded against potential remote code execution attacks stemming from Lua script manipulation.
Implementation Details:
The specific code changes involve:
-
Garbage Collector Enhancements: Modifications to the
lgc.c
file within the Lua source to include additional validation checks during the garbage collection cycle. -
Memory Access Validation: Updates to the
lvm.c
file to incorporate boundary checks during virtual machine operations. -
Script Execution Controls: Adjustments in the
ldo.c
file to enforce stricter execution policies for Lua scripts. -
API Usage Updates: Replacing deprecated or unsafe API calls with their safer counterparts across various files interacting with the Lua engine.
These changes collectively strengthen the security posture of Redis by addressing the root cause of the vulnerability and preventing similar issues in the future.
Upgrade Recommendations:
To benefit from these security enhancements, users are strongly advised to upgrade their Redis installations to the latest patched versions. The fixed releases addressing this vulnerability are:
-
Redis Software: Versions 7.22.2-12 and above, 7.8.6-207 and above, 7.4.6-272 and above, 7.2.4-138 and above, 6.4.2-131 and above.
-
Redis OSS/CE/Stack: Versions 8.2.2 and above, 8.0.4 and above, 7.4.6 and above, 7.2.11 and above.
By upgrading to these versions, users can ensure their Redis instances are protected against the exploitation of CVE-2025-49844.
For detailed instructions on upgrading and best practices for securing your Redis deployment, please refer to the official Redis documentation.
Note: The above information is based on the security advisory available at Redis Security Advisory: CVE-2025-49844.