A serious security flaw has been found in Redis, a popular in-memory database used by many companies around the world. The bug is 13 years old and has been given a CVSS score of 10.0, which is the highest possible severity rating. This means the flaw is extremely dangerous and should be fixed immediately.
The vulnerability has been identified as CVE-2025-49844, also called RediShell by security researchers. It exists in the Lua scripting feature of Redis. Lua allows users to run small scripts inside Redis, but due to a use-after-free memory bug, a specially crafted Lua script can escape its restricted environment and execute system-level code. This gives an attacker the ability to run any command they want on the server.
To exploit this vulnerability, an attacker needs to have authenticated access to the Redis instance. This means they must already know the login credentials or be able to connect from a trusted network. However, many Redis setups, especially in cloud environments and containers, are left exposed to the internet with weak or no authentication. This makes it easier for attackers to take advantage of the flaw.
Once successfully exploited, this vulnerability can lead to serious consequences. Attackers could steal sensitive data, install malware, hijack system resources, run crypto-mining programs, or even spread to other connected systems. Because Redis is widely used for caching and session data in web applications, the impact of such an attack can be massive.
Researchers who discovered the flaw performed internet scans and found around 330,000 Redis instances exposed publicly. Shockingly, about 60,000 of them did not have any authentication enabled. Since the default Redis container image does not require a password, many users are unknowingly running vulnerable servers.
The Redis team has officially acknowledged the issue and released patches on October 3, 2025. The fixed versions include Redis 8.2.2, 8.0.4, 7.4.6, 7.2.11, and corresponding enterprise builds. Users are strongly advised to update to one of these patched releases immediately. Redis Cloud users are already protected, as the cloud service was automatically updated by the Redis team.
For those who cannot patch right away, Redis has suggested temporary workarounds. One option is to disable Lua scripting completely. Another is to block or revoke access to the EVAL and EVALSHA commands using Access Control Lists (ACLs). It is also recommended to limit Redis access to internal networks, use strong passwords, run Redis under non-root users, and apply firewall rules to prevent unauthorized connections.
At the moment, there is no confirmed evidence that hackers have used this vulnerability in real-world attacks. Still, cybersecurity experts warn that because of the bug’s severity and the high number of exposed Redis servers, exploitation attempts are expected to appear soon. Organizations are urged to take preventive steps right away to avoid being compromised.
In conclusion, the Redis flaw CVE-2025-49844 (RediShell) is one of the most severe security issues discovered recently. It has been hiding in Redis code for over a decade, and now that it’s public, attackers will likely try to exploit it. Every Redis user should patch their systems, secure network access, and monitor for unusual activity to stay safe from this critical threat.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
