Critical 10/10 Flaw in Redis Existed Undetected for 13 Years

Redis, one of the most widely used in-memory caching and database systems, has faced a startling revelation: a critical vulnerability had silently existed in its codebase for thirteen years. The flaw, identified as CVE-2025-49844 and rated a perfect 10 out of 10 on the severity scale, allows an attacker with user-level access to execute arbitrary code on the server — effectively granting complete control over the Redis process. In production environments, such a compromise could have catastrophic consequences.

Researchers Benny Isaacs and Nir Braha from Wiz, in collaboration with the Trend Micro Zero Day Initiative, discovered that the flaw affects all Redis versions supporting Lua scripting. The issue lies within Redis’s memory management mechanism, specifically in the behavior of its garbage collector. By manipulating how the collector handles memory, an attacker can trigger a use-after-free condition — a state in which freed memory is mistakenly reused — creating an opportunity to inject and execute malicious code directly within the Redis server.

What alarms experts most is not only the severity of the flaw but also its longevity — it has gone unnoticed since the introduction of the Lua engine into Redis’s codebase, nearly a decade and a half ago. As Redis underpins approximately three-quarters of all cloud environments, this long-lived defect potentially impacts hundreds of thousands of organizations and government systems worldwide. Researchers urge administrators to apply the patch immediately, prioritizing all internet-exposed instances.

For users of Redis Cloud, the issue has already been resolved — the patches were deployed automatically. However, those managing their own installations, including self-hosted, corporate, and on-premise versions, must manually update to the latest releases available on the project’s official site.

According to Wiz, there are currently about 330,000 Redis instances publicly accessible online, with nearly 60,000 lacking authentication entirely. This means that anyone with a server’s IP address could interact with it directly, making exploitation of the vulnerability particularly perilous.

In an official advisory published on October 3, Redis Labs stated that no exploitation attempts have been observed so far, either in its cloud infrastructure or within customer environments. Nonetheless, administrators are advised to audit their systems for potential compromise indicators, such as unexplained database connections, abnormal inbound or outbound activity, the presence of unfamiliar Lua scripts, unexpected server crashes related to Lua modules, or the execution of unauthorized commands.

Administrators should also restrict network access to Redis using firewalls and strict security policies, permitting connections only from trusted sources, and ensure that all sessions are password-protected. Since Redis often functions as a critical component within complex microservice architectures, an unpatched vulnerability in a single node could easily become an entry point for attackers into an entire ecosystem.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy