CVE-2025-49844: 
Redis Analisi e mitigazione delle vulnerabilità

Redis versions 8.2.1 and below contain a critical remote code execution vulnerability (CVE-2025-49844), dubbed 'RediShell'. This use-after-free memory corruption bug has existed in the Redis source code for approximately 13 years, affecting all versions with Lua scripting support. The vulnerability allows an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free condition, and potentially achieve remote code execution. The issue was discovered by Wiz researchers and reported through Pwn2Own Berlin in May 2025, with patches released on October 3, 2025 (Wiz Research, NVD).

The vulnerability stems from insufficient validation of object liveness during garbage collection in Redis's Lua scripting subsystem, which is enabled by default. The technical mechanism involves memory corruption through crafted Lua scripts that manipulate the garbage collector to free memory still referenced by active objects, leading to a sandbox escape condition. The vulnerability has been assigned a CVSS score of 9.9-10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability (Wiz Research, Sysdig).

The vulnerability's impact is extensive, affecting an estimated 75% of cloud environments. Analysis revealed approximately 330,000 Redis instances exposed to the internet, with about 60,000 instances having no authentication configured. After compromising a Redis host, attackers can steal credentials, deploy malware, extract sensitive data from Redis, or move laterally to other systems. The vulnerability affects both self-hosted Redis instances and managed services such as Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis (Wiz Research).

The vulnerability has been patched in Redis versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2. For organizations unable to patch immediately, a temporary workaround involves preventing users from executing Lua scripts by using Access Control Lists (ACLs) to restrict EVAL and EVALSHA commands. Additional security recommendations include enforcing strong authentication, running Redis with a non-root user account, implementing network segmentation, and avoiding exposure to the public internet (GitHub Advisory, Redis Patch).