Critical Redis Lua Flaw (CVE-2025-49844) Rated CVSS 10.0 Allows Remote Code Execution

Wiz researchers have recently disclosed a critical vulnerability in Redis affecting version 8.2.1 and earlier releases. Tracked as CVE-2025-49844 with a CVSS score of 10, the flaw stems from unsafe memory handling during the parsing of Lua scripts—specifically within the luaY_parser routine, which fails to anchor the name of the loaded chunk on the Lua stack before invoking the lexer. This oversight opens a window for a use-after-free (UAF) condition that can culminate in remote arbitrary code execution.

At its core, the issue arises because Redis embeds Lua 5.1 to execute server-side scripts. In vulnerable builds, an attacker can craft a Lua payload whose chunk name triggers garbage collection (GC) while the parser still references the freed string. That race condition permits an adversary to replace the reclaimed memory and inject code that executes at the native C level.

Exploitation prerequisites are straightforward: a Redis server running version 8.2.1 or earlier, network access to the Redis instance (local-network access suffices), and the ability to execute Lua scripts (for example, via redis-cli).

Practical exploits use a file such as CVE-2025-49844.lua which repeatedly invokes loadstring while inducing GC through the chunk name. A representative attack loop looks like: while redis-cli -h localhost -p 6379 –eval CVE-2025-49844.lua >/dev/null; do printf ‘.’; done
Successful exploitation may crash the Redis process or force client disconnects, and in the worst case yield remote code execution.

The defect has been remedied in Redis 8.2.2, where the chunk name is forcibly anchored on the Lua stack until parsing completes. The fix is available in commit d5728cb. Specialists strongly advise upgrading to Redis 8.2.2 or later; where immediate upgrade is infeasible, disable Lua script execution for untrusted users as a temporary mitigation.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy