CVE-2025-49844

Media report

EPSS 0.1%
Published 03.10.2025 19:27:23
Last modified 07.10.2025 15:40:02
Source security-advisories@github.com
Teams watchlist Login
Open Login

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Redis ≫ Redis Version < 6.2.20

Redis ≫ Redis Version >= 7.0 < 7.2.11

Redis ≫ Redis Version >= 7.4.0 < 7.4.6

Redis ≫ Redis Version >= 8.0.0 < 8.0.4

Redis ≫ Redis Version >= 8.2.0 < 8.2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.274

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://www.heise.de/news/Redis-Kritische-Codeschmuggel-Luecke-in-Datenbank-10733632.html

Medienbericht

heise Security

https://github.com/redis/redis/releases/tag/8.2.2

Release Notes

https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q

Third Party Advisory

https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-49844

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49844

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49844

EUVD