CVE-2025-49844
Published: 03 October 2025
Summary
CVE-2025-49844 is a critical-severity Use After Free (CWE-416) vulnerability in Redis Redis. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the use-after-free vulnerability by requiring timely patching to Redis version 8.2.2.
Enforces least privilege through Redis ACL restrictions on EVAL and EVALSHA commands to block malicious Lua scripts.
Prohibits unnecessary Lua scripting functionality to prevent exploitation of the garbage collector use-after-free.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables low-privilege authenticated users to trigger a use-after-free via crafted Lua scripts in Redis, leading to remote code execution on the server process. This facilitates exploitation of remote services (T1210) and privilege escalation (T1068) from Redis ACL permissions to host-level code execution.
NVD Description
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code…
more
execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Deeper analysisAI
CVE-2025-49844 is a use-after-free vulnerability (CWE-416) in Redis, an open-source in-memory database that persists on disk. It affects versions 8.2.1 and below, with the issue present in all versions supporting Lua scripting. An authenticated user can execute a specially crafted Lua script to manipulate the garbage collector, triggering a use-after-free condition that potentially leads to remote code execution. The vulnerability was published on 2025-10-03 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An authenticated user with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By submitting a malicious Lua script via supported commands, the attacker manipulates Redis's garbage collector, causing a use-after-free that enables arbitrary code execution on the server, potentially compromising the entire system given the high impact on confidentiality, integrity, and availability.
Redis addresses this in version 8.2.2, as detailed in the official GitHub commit, release notes, and security advisory. Without patching the redis-server executable, a workaround involves using ACL to restrict users from executing Lua scripts by blocking the EVAL and EVALSHA commands. Additional details are available in the referenced GitHub security advisory and oss-security mailing list announcement.
Details
- CWE(s)