Level-10 vuln lurking in Redis source code for 13 years could allow remote code execution
- Reference: 1759771748
- News link: https://www.theregister.co.uk/2025/10/06/perfect_10_redis_rce_lurking/
- Source link:
For anyone using Redis Cloud, the service has already been upgraded, with fixes, so no need to do anything. But for anyone using self-managed versions of the widely used in-memory database (OSS, CE, Stack, and Software versions): upgrade to the latest release listed [1]here .
The security flaw, tracked as [2]CVE-2025-49844 , affects all Redis versions with Lua scripting. It allows an authenticated attacker to send a malicious Lua script and manipulate the garbage collector – this is its memory management system intended to prevent memory leaks – and trigger a use-after-free that can potentially lead to remote code execution in the Redis server process.
[3]
It's especially concerning because it has existed in Redis source code for 13 years, according to Wiz researchers Benny Isaacs and Nir Brakha, who discovered the security hole with Trend Micro's Zero Day Initiative (ZDI) bug hunters.
[4]
[5]
"Given that Redis is used in an estimated 75 percent of cloud environments, the potential impact is extensive," Isaacs and Brakha said in an alert shared with The Register and slated to publish Monday night. "Organizations are strongly urged to patch instances immediately by prioritizing those that are exposed to the internet."
About 330,000 Redis instances remain exposed to the internet and 60,000 instances have no authentication configured, the duo added.
[6]Back to being FOSS, Redis delivers a new, faster version
[7]Hacking contest kerfuffle over copied rules pits Wiz against ZDI
[8]Clop crew hits Oracle E-Business Suite users with fresh zero-day
[9]Warnings about Cisco vulns under active exploit are falling on deaf ears
"We have no evidence of exploitation of these vulnerabilities in Redis Cloud or reported in customer environments," Redis Chief Information Security Officer Riaz Lakhani [10]said in an October 3 security advisory.
But considering how long the bug has been hiding out, it's still a good idea to check your operating environment for any indicators of compromise.
[11]
These, according to Lakhani, include access to the Redis database from unauthorized or unknown sources, unusual network ingress and egress traffic, unknown scripts in the database, unexplained server crashes – specifically with a stack trace originating from a Lua engine – and unexpected command execution.
Additionally, it's a good idea to use firewalls and network policies to restrict access to only trusted sources and ensure that unauthorized users can't access your database, and to enforce the use of credentials for all access to Redis instances. ®
Get our [12]Tech Resources
[1] https://github.com/redis/redis/releases
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-49844
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aOQ8AsSfIPi2ffOCDIUavgAAAFQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aOQ8AsSfIPi2ffOCDIUavgAAAFQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aOQ8AsSfIPi2ffOCDIUavgAAAFQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/08/14/redis_redux/
[7] https://www.theregister.com/2025/10/05/zdi_wiz_hacking_contest_kerfuffle/
[8] https://www.theregister.com/2025/10/06/clop_oracle_ebs_zeroday/
[9] https://www.theregister.com/2025/09/30/cisco_firewall_vulns/
[10] https://redis.io/blog/security-advisory-cve-2025-49844/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aOQ8AsSfIPi2ffOCDIUavgAAAFQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Thanks
I really needed PTSD about Redis on a Monday. Fortunately the stack I worked on was so bad that this would make no difference. Nothing says fun like putting personal data into an insecure pile of shite for a global recruitment agency. Happy days.
How many of those alarms are we getting now each month?
Oh my, we built our internet cities not on rock... Really not. Not even on pebble. More like marbles and toy cars on near-freezing lube on a slope which moves... This is a systemic problem, for open source 'cause of missing resources, for closed source 'cause companies have the incentive to be as cheap as possible.
There are those which are not prone to that, but those are so rare. Wasn't it at NASA three teams? Programming, QA testers, debugger/reviewers? About 50+ years ago?
Re: How many of those alarms are we getting now each month?
You have just defined the difference between 'then' and 'now' !!!
'Then' == Do it right !!!
'Now' == Do it cheap !!!
:)
Re: How many of those alarms are we getting now each month?
I remember working at an outfit where feature had to have a full test suite written and on top of that signed off by 3 independent QA testers.
It was really cool because those people could find things you never considered and managers hated them because "they" where slowing down the delivery.
Eventually board decided that keeping such high standard is not necessary and fired entire QA team and told managers to make devs do QA.
That lead system to becoming a bug fest because devs were not allowed extra time for QA work.
Stupid people
>> About 330,000 Redis instances remain exposed to the internet
Idiots do this. I cannot think why Redis needs to be exposed to anywhere other than a limited list of permitted hosts. This is not exactly a new concept. Back in the good old days, tcp wrappers blocked access to anywhere but a list of permitted hosts. Firewalls went further. If these people get hacked they need to look in the mirror.