CVE-2025-49844
CRITICALDescription
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| redis | redis |
| redis | redis |
| redis | redis |
| redis | redis |
| redis | redis |
| lfprojects | valkey |
| lfprojects | valkey |
| lfprojects | valkey |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-49844? +
How severe is CVE-2025-49844? +
What products are affected by CVE-2025-49844? +
How do I check if I'm vulnerable to CVE-2025-49844? +
Related Vulnerabilities
A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the …
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice …
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder …
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue …
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an …
There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP …