CVE-2025-49844: 
Redis vulnerability analysis and mitigation

CVE-2025-49844 is a critical vulnerability in Redis, an open source, in-memory database that persists on disk. The vulnerability was discovered and disclosed on October 3, 2025, affecting Redis versions 8.2.1 and below. The issue allows an authenticated user to exploit Lua scripting functionality to manipulate the garbage collector, potentially leading to remote code execution (GitHub Advisory).

The vulnerability is classified as a Use-After-Free (CWE-416) issue that occurs when executing specially crafted Lua scripts. The problem exists in all versions of Redis with Lua scripting capabilities. The vulnerability has received a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability can allow an authenticated attacker to execute remote code on the affected system through manipulation of the garbage collector. This could potentially lead to complete system compromise, with high impacts on system confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in Redis version 8.2.2. For systems that cannot immediately update, a workaround is available by preventing users from executing Lua scripts through ACL restrictions on EVAL and EVALSHA commands (Redis Release, GitHub Advisory).

The vulnerability was discovered by Wiz researchers Benny Isaacs (@bennyisaacs), Nir Brakha, and Sagi Tzadik (@sagitz) working in collaboration with Trend Micro's Zero Day Initiative (GitHub Advisory).