CVE-2025-49844

CVE-2025-49844 is a use-after-free vulnerability (CWE-416) in Redis, an open-source in-memory database that persists on disk. It affects versions 8.2.1 and below, with the issue present in all versions supporting Lua scripting. An authenticated user can execute a specially crafted Lua script to manipulate the garbage collector, triggering a use-after-free condition that potentially leads to remote code execution. The vulnerability was published on 2025-10-03 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By submitting a malicious Lua script via supported commands, the attacker manipulates Redis's garbage collector, causing a use-after-free that enables arbitrary code execution on the server, potentially compromising the entire system given the high impact on confidentiality, integrity, and availability.

Redis addresses this in version 8.2.2, as detailed in the official GitHub commit, release notes, and security advisory. Without patching the redis-server executable, a workaround involves using ACL to restrict users from executing Lua scripts by blocking the EVAL and EVALSHA commands. Additional details are available in the referenced GitHub security advisory and oss-security mailing list announcement.