## https://sploitus.com/exploit?id=C39D709A-5707-512E-A49D-440E35D65CDB
# CVE-2025-49844 - RediShell
> Use-after-free in Redis Lua scripting leading to remote code execution.
## Summary of the CVE
Redis is an open source, in-memory database. CVE-2025-49844 is a use-after-free vulnerability in Redis's embedded Lua scripting engine. An authenticated user with access to Lua scripting can send a specially crafted script that manipulates garbage collection, triggers memory corruption, and can lead to remote code execution outside the Lua sandbox.
The issue affects Redis versions with Lua scripting before the fixed releases. Patching the Redis server is the recommended fix. If patching is not immediately possible, Redis Lua scripting should be restricted with ACLs by denying commands such as `EVAL` and `EVALSHA`.
## Affected Versions
- Redis 6.2 before 6.2.20
- Redis 7.2 before 7.2.11
- Redis 7.4 before 7.4.6
- Redis 8.0 before 8.0.4
- Redis 8.2 before 8.2.2
## Anomalies
The vulnerability check is broad and verifies an affected Redis version with Lua scripting enabled. The exploit path is much more restrictive because it depends on exact binary layout, build IDs, function offsets, and JOP gadgets.
This script only reliably supports the following:
- `redis:8.2.1-alpine` with build ID `f5a80511e802827d`
- `redis:8.2.1-bookworm` with build ID `fcae35583392417f`
The command execution has no output.
## References
- [Redis Security Advisory - GHSA-4789-qfc9-5f9q](https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q)
- [NVD - CVE-2025-49844](https://nvd.nist.gov/vuln/detail/CVE-2025-49844)
- [CVE Details - CVE-2025-49844](https://www.cvedetails.com/cve/CVE-2025-49844/)
- [Redis 8.2.2 release notes](https://github.com/redis/redis/releases/tag/8.2.2)
- [Redis patch commit](https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539)
- [Public full exploit PoC - saneki](https://github.com/saneki/cve-2025-49844)
- [Public Docker lab - raminfp](https://github.com/raminfp/redis_exploit)