Share
## https://sploitus.com/exploit?id=1C5E74BC-33A1-572A-AACC-E3ED8D3E9E16
# π¨ CVE-2025-49844 β βRediShellβ
**Critical Remote Code Execution in the World's Fastest In-Memory Store**
Redis Lua scripting just became the perfect post-auth landing zone.




**Authenticated attacker β crafted Lua script β escape sandbox β full RCE on host**
---
## β οΈ Overview
**CVE-2025-49844** ("**RediShell**") is a **critical use-after-free (UAF)** memory corruption vulnerability in **Redis**' embedded Lua scripting engine.
An **authenticated** user submits a specially crafted Lua script via `EVAL` / `EVALSHA` that manipulates the garbage collector, triggers a UAF during parsing/execution, escapes the Lua sandbox, and achieves **arbitrary code execution** on the underlying host.
The bug lurked in Redis source code for **~13 years** (since early Lua integration) and affects virtually **all versions** with Lua enabled until patched in October 2025.
> βOne malicious EVAL call. Full server takeover. Redis in 2025β2026 just got interesting.β
---
## π₯ Severity & Impact
- **CVSS v3.1 Base Score**: **10.0 / Critical** (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- **Attack Vector**: Network (Redis TCP port, usually 6379)
- **Privileges Required**: Low (any authenticated Redis user with script execution rights)
- **User Interaction**: None
- **Exploit Maturity**: Public PoCs & exploit tools released shortly after disclosure
**Reality in March 2026**:
- Public exploits target reverse shells, persistence, crypto-mining payloads
- High-risk in cloud environments (caching layers, session stores, queues)
- Combined with weak auth / exposed Redis β full infra compromise
- Many legacy deployments, Docker images, and managed services still vulnerable
---
## π΅οΈ Discovery & Credit
- Discovered by **Wiz Research** team
- Reported via **Pwn2Own Berlin** (May 2025)
- Coordinated disclosure: October 3, 2025 (Redis advisory + patches)
- Dubbed **"RediShell"** by Wiz (shell-like RCE via Lua escape)
---
## π¬ Technical Deep Dive
Redis embeds Lua 5.x for scripting (`EVAL`, `EVALSHA`, functions, etc.).
The flaw exists in Lua parser/GC interaction:
1. Attacker sends crafted Lua script via `EVAL`
2. During parsing (`luaY_parser`), a `TString` object is allocated but **not protected** on the Lua stack
3. GC runs prematurely β frees the object
4. Later code uses the freed memory β UAF primitive
5. Attacker chains this to leak memory, bypass ASLR, ROP/return-to-libc β arbitrary native code execution outside sandbox
**Key fatal point**: Lua sandbox was never hardened against memory corruption primitives.
---
## π
Timeline
| Date | Event |
|-------------------|--------------------------------------------|
| **~2012** | Vulnerable Lua integration introduced |
| **May 2025** | Wiz discovers & demos at Pwn2Own Berlin |
| **Oct 3, 2025** | Public disclosure + Redis security advisory|
| **Oct 3, 2025** | Fixed versions released (6.2.20+, 7.x, 8.x)|
| **Oct 6β7, 2025** | Wiz/Sysdig/Redrays blogs + initial PoCs |
| **Oct 2025+** | Exploit repos appear (GitHub, labs) |
| **March 2026** | Exploitation ongoing against legacy/cloud setups |
---
## π₯οΈ Affected Systems
**Vulnerable**: **All Redis versions** with Lua scripting enabled **before** the October 2025 patches
**Fixed in**:
- Redis 8.2.2+
- Redis 8.0.4+
- Redis 7.4.6+
- Redis 7.2.11+
- Redis 6.2.20+
**Common targets in 2026**:
- Cloud caching/session stores (AWS ElastiCache, Azure Cache, GCP Memorystore)
- Docker/K8s deployments with default Redis images
- Legacy apps using Redis -p 6379 -a password
> EVAL "crafted_lua_that_triggers_uaf_and_execs_shell" 0
```
Full weaponized PoCs appeared on GitHub within days (memory leak β ROP β shell).
Many include ASLR bypass, NX/DEP evasion, and persistence options.
---
## π‘οΈ Check & Remediate (March 2026)
### 1. Check version
```bash
redis-cli INFO SERVER | grep redis_version
```
β Vulnerable if
March 2026 Status: β οΈ Still burning unpatched Redis β Upgrade or disable Lua now
Made with π₯ for defenders scanning redis-cli INFO everywhere