Redis Server Use-After-Free Vulnerability Allows Remote Code Execution
gbhackersA critical security vulnerability has been discovered in Redis Server that could allow authenticated attackers to achieve remote code execution through a use-after-free flaw in the Lua scripting engine.
The vulnerability, tracked as CVE-2025-49844, affects all versions of Redis that support Lua scripting functionality.
Critical Memory Corruption Flaw Discovered
Security researchers from Wiz, including Benny Isaacs, Nir Brakha, and Sagi Tzadik working with Trend Micro’s Zero Day Initiative, identified this severe vulnerability that exploits Redis’s garbage collection mechanism.
The flaw allows authenticated users to craft malicious Lua scripts that manipulate the garbage collector, triggering a use-after-free condition that can lead to arbitrary code execution on the target system.
| Field | Value |
| CVE ID | CVE-2025-49844 |
| Vulnerability Type | Use-After-Free (CWE-416) |
| Impact | Remote Code Execution |
| CVSS 3.1 Score | 10.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) |
| Severity | Critical ... |
Copyright of this story solely belongs to gbhackers . To see the full text click HERE