Overview

• Tracked as CVE-2025-49844 with a CVSS score of 10.0, the bug is a use-after-free in Redis’ Lua engine that lets a crafted script escape the sandbox and run code on the host.
• Redis released fixes across OSS/CE/Stack/Software editions, and maintainers advise prioritizing upgrades for deployments reachable from the internet.
• Wiz measured roughly 330,000 Redis servers exposed online, including about 60,000 without authentication enabled.
• Redis Cloud has already been upgraded, and CISO Riaz Lakhani says there is no evidence of exploitation in managed service or reported customer environments.
• Mitigations urged by Redis and Wiz include enforcing authentication, restricting network access, disabling Lua scripting if not needed, running as non‑root, and monitoring for Lua-related crashes and unknown scripts.