Overview
- Redis has released patches across supported OSS/CE/Stack and Software lines, and Redis Cloud has already been upgraded automatically.
- CVE-2025-49844 stems from a 13-year-old Lua use-after-free that lets a crafted script escape the sandbox to execute native code on the host, earning a CVSS 10.0 rating.
- Wiz reports roughly 330,000 Redis instances exposed online, including about 60,000 that do not require authentication.
- Successful exploitation could grant full host access for credential theft, malware or cryptominer deployment, data exfiltration, and lateral movement in cloud environments.
- Redis says there is no evidence of exploitation in Redis Cloud to date and urges immediate upgrades plus hardening steps such as enabling authentication, restricting network access, disabling Lua if unused, running as non-root, and monitoring for suspicious activity.