Vulnerability Report

CVE-2025-49844

RCE

Title: Redis RCE

Memory Corruption

Proof Of Concept

PoC Available for CVE-2025-49844

CWE Category CWE-416
Published Date Oct 03, 2025
Modified Date Mar 20, 2026
Exploit Status Available
Score 9.9 CVSS v3.1
Exploit Probability (EPSS)
86.27%

Vulnerability Summary

CVE-2025-49844: Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Impacted Vendors

R
redis 1
L
lfprojects 1
R
redislabs 1
A
anynines 1

Reference Links

https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539 https://github.com/redis/redis/releases/tag/8.2.2 https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q http://www.openwall.com/lists/oss-security/2025/10/07/2
CVSS v3.1
Source Entity [email protected]
Severity CRITICAL
9.9
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
CHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1
Source Entity [email protected]
Severity CRITICAL
9.9
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
CHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2025-49844 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/raminfp/redis_exploit
View Code
GitHub https://github.com/dwisiswant0/CVE-2025-49844
View Code
GitHub https://github.com/Yuri08loveElaina/CVE-2025-49844
View Code
MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data or affected products updated.

PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity LOW
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Stack

No specific products linked.