A critical remote code execution vulnerability lurking in Redis for over a decade has been discovered by cybersecurity researchers, potentially exposing hundreds of thousands of database instances worldwide to complete system compromise.
Dubbed "RediShell" and tracked as CVE-2025-49844, the flaw has received the rare maximum CVSS severity score of 10.0 — making it the first critical vulnerability ever identified in the widely-used in-memory database. Security firm Wiz Research, which uncovered the bug, revealed that it affects all Redis versions supporting Lua scripting and exists in an estimated 75% of cloud environments.
The vulnerability stems from a use-after-free (UAF) memory corruption issue that allows authenticated attackers to execute specially crafted Lua scripts and escape Redis's sandbox environment. Once exploited, attackers gain arbitrary code execution capabilities on the host system, enabling them to steal credentials, deploy malware, exfiltrate sensitive data, or facilitate lateral movement within cloud infrastructures.
"An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution," Redis stated in its official security advisory.
The scope of exposure is alarming. Wiz Research's analysis found approximately 330,000 Redis instances exposed to the internet, with around 60,000 lacking any authentication whatsoever. The problem is compounded by the fact that 57% of cloud environments deploy Redis as container images, many of which ship without authentication enabled by default.
"The combination of no authentication and exposure to the internet is highly dangerous," the Wiz team warned, noting that attackers can simply send malicious Lua scripts to unprotected instances without any credentials.
Even internal deployments face significant risk. Redis instances on corporate networks often lack robust authentication, creating opportunities for attackers who've already gained initial access to an environment to pivot into critical systems.
Redis has released version 8.2.2 to address the vulnerability, affecting all previous versions, including 8.2.1 and below. Organizations are urged to update immediately, prioritizing internet-facing and unauthenticated instances. For those unable to patch immediately, Redis recommends using Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands, effectively disabling Lua scripting until updates can be applied.
The discovery underscores the persistent security challenges facing open-source infrastructure. As organizations increasingly depend on tools like Redis for mission-critical operations, vulnerabilities of this magnitude can have cascading effects across entire cloud ecosystems. Security teams should audit their Redis deployments, enable authentication, implement network-level controls, and monitor for suspicious Lua script execution.