Researchers from the company Wiz identified in the Redis DBMS vulnerability (CVE-2025-49844, which allows you to achieve remote code execution (RCE) on the server. The issue has been assigned the highest level of severity (CVSS score 10 out of 10), and to exploit the vulnerability, the attacker must be able to send requests to the Redis DBMS, which allows the execution of custom Lua scripts.
In addition to publicly available Redis instances that provide access without authentication, the vulnerability allows you to compromise cloud systems and hosting platforms that support services for working with Redis. According to Wiz, a network scan identified about 330 thousand Redis servers accepting connections, of which about 60 thousand accept requests without authentication. The official image of the Docker container provided by the Redis project is configured for access without authentication by default.
The vulnerability is caused by accessing already freed memory (use-after-free), manifested when manipulating the garbage collector from a specially designed Lua script. The problem allows you to bypass the sandbox isolation of the Lua environment in Redis and execute the code in the main system with the rights of the user under which the DBMS is running.
It is noteworthy that the error remained undetected for 13 years. The researchers who identified the problem have demonstrated a working exploit, but details of the exploit have not yet been disclosed to allow time for updates to be installed.
The vulnerability also appears in the Valkey project, which develops a fork of Redis that ships with most Linux distributions, including RedHat Enterprise Linux 10. The vulnerability has been fixed. in the releases Redis 8.2.2, 8.0.4, 7.4.6, 7.2.11 and 6.2.20, as well as in Valkey 8.1.4, 8.0.6 and 7.2.11. You can check the status of a new package version or patch preparation in distributions on the following pages: Debian, Ubuntu, Fedora, SUSE/openSUSE, RHEL, Gentoo, Arch, FreeBSD, OpenBSD and NetBSD.
As a workaround for security in the DBMS, you can disable the execution of Lua scripts by by disabling