Share
## https://sploitus.com/exploit?id=1C5E74BC-33A1-572A-AACC-E3ED8D3E9E16
# 🚨 CVE-2025-49844 β€” β€œRediShell”



**Critical Remote Code Execution in the World's Fastest In-Memory Store**  
Redis Lua scripting just became the perfect post-auth landing zone.

![CVSS Badge](https://img.shields.io/badge/CVSS-10.0-critical?style=for-the-badge&logo=security&logoColor=white&color=red)
![Status Badge](https://img.shields.io/badge/Status-Public_Exploits-red?style=for-the-badge&logo=exploit&logoColor=white)
![Type Badge](https://img.shields.io/badge/Type-Use-After-Free-orange?style=for-the-badge)
![Discovered Badge](https://img.shields.io/badge/Discovered-May_2025-blue?style=for-the-badge&logo=calendar)

**Authenticated attacker β†’ crafted Lua script β†’ escape sandbox β†’ full RCE on host**


---

## ⚠️ Overview
**CVE-2025-49844** ("**RediShell**") is a **critical use-after-free (UAF)** memory corruption vulnerability in **Redis**' embedded Lua scripting engine.

An **authenticated** user submits a specially crafted Lua script via `EVAL` / `EVALSHA` that manipulates the garbage collector, triggers a UAF during parsing/execution, escapes the Lua sandbox, and achieves **arbitrary code execution** on the underlying host.

The bug lurked in Redis source code for **~13 years** (since early Lua integration) and affects virtually **all versions** with Lua enabled until patched in October 2025.

> β€œOne malicious EVAL call. Full server takeover. Redis in 2025–2026 just got interesting.”

---

## πŸ”₯ Severity & Impact
- **CVSS v3.1 Base Score**: **10.0 / Critical** (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- **Attack Vector**: Network (Redis TCP port, usually 6379)
- **Privileges Required**: Low (any authenticated Redis user with script execution rights)
- **User Interaction**: None
- **Exploit Maturity**: Public PoCs & exploit tools released shortly after disclosure

**Reality in March 2026**:
- Public exploits target reverse shells, persistence, crypto-mining payloads
- High-risk in cloud environments (caching layers, session stores, queues)
- Combined with weak auth / exposed Redis β†’ full infra compromise
- Many legacy deployments, Docker images, and managed services still vulnerable

---

## πŸ•΅οΈ Discovery & Credit
- Discovered by **Wiz Research** team
- Reported via **Pwn2Own Berlin** (May 2025)
- Coordinated disclosure: October 3, 2025 (Redis advisory + patches)
- Dubbed **"RediShell"** by Wiz (shell-like RCE via Lua escape)

---

## πŸ”¬ Technical Deep Dive
Redis embeds Lua 5.x for scripting (`EVAL`, `EVALSHA`, functions, etc.).  
The flaw exists in Lua parser/GC interaction:

1. Attacker sends crafted Lua script via `EVAL`
2. During parsing (`luaY_parser`), a `TString` object is allocated but **not protected** on the Lua stack
3. GC runs prematurely β†’ frees the object
4. Later code uses the freed memory β†’ UAF primitive
5. Attacker chains this to leak memory, bypass ASLR, ROP/return-to-libc β†’ arbitrary native code execution outside sandbox

**Key fatal point**: Lua sandbox was never hardened against memory corruption primitives.

---

## πŸ“… Timeline
| Date              | Event                                      |
|-------------------|--------------------------------------------|
| **~2012**         | Vulnerable Lua integration introduced      |
| **May 2025**      | Wiz discovers & demos at Pwn2Own Berlin    |
| **Oct 3, 2025**   | Public disclosure + Redis security advisory|
| **Oct 3, 2025**   | Fixed versions released (6.2.20+, 7.x, 8.x)|
| **Oct 6–7, 2025** | Wiz/Sysdig/Redrays blogs + initial PoCs    |
| **Oct 2025+**     | Exploit repos appear (GitHub, labs)        |
| **March 2026**    | Exploitation ongoing against legacy/cloud setups |

---

## πŸ–₯️ Affected Systems
**Vulnerable**: **All Redis versions** with Lua scripting enabled **before** the October 2025 patches  
**Fixed in**:
- Redis 8.2.2+
- Redis 8.0.4+
- Redis 7.4.6+
- Redis 7.2.11+
- Redis 6.2.20+

**Common targets in 2026**:
- Cloud caching/session stores (AWS ElastiCache, Azure Cache, GCP Memorystore)
- Docker/K8s deployments with default Redis images
- Legacy apps using Redis  -p 6379 -a password
> EVAL "crafted_lua_that_triggers_uaf_and_execs_shell" 0
```

Full weaponized PoCs appeared on GitHub within days (memory leak β†’ ROP β†’ shell).  
Many include ASLR bypass, NX/DEP evasion, and persistence options.

---

## πŸ›‘οΈ Check & Remediate (March 2026)
### 1. Check version
```bash
redis-cli INFO SERVER | grep redis_version
```
β†’ Vulnerable if 
  March 2026 Status: ⚠️ Still burning unpatched Redis β†’ Upgrade or disable Lua now
  Made with πŸ”₯ for defenders scanning redis-cli INFO everywhere