13-Year-Old Redis RCE Flaw Lets Attackers Seize Complete Host Control
gbhackersA remote code execution vulnerability discovered in Redis, the widely-used in-memory data structure store, has sent shockwaves through the cybersecurity community.
The flaw, designated CVE-2025-49844 and dubbed “RediShell” by researchers, carries the maximum CVSS 3.1 severity score of 10.0 and affects all Redis versions worldwide.
13-Year-Old Bug Creates Modern Security Crisis
Wiz Research uncovered this devastating vulnerability that exploits a Use-After-Free memory corruption bug embedded in Redis source code for approximately 13 years.
The flaw allows authenticated attackers to send specially crafted malicious Lua scripts that escape the Lua sandbox environment and achieve arbitrary native code execution on the Redis host system.
| CVE ID | Product | Vulnerability Type | Impact | Attack Vector | Authentication Required |
|---|---|---|---|---|---|
| CVE-2025-49844 | Redis (all versions) | Use-After-Free (UAF) Memory Corruption | Remote Code Execution (RCE) | Network | Yes (Post-auth) |
The vulnerability’s impact extends far beyond simple data breach scenarios.
Successful exploitation grants attackers complete control over the host system ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE