Redis has revealed details of a major security vulnerability known as RediShell (CVE-2025-49844) that has been present for 13 years. This flaw allows an attacker with authentication privileges to execute remote code by manipulating the garbage collector with a specially crafted Lua script, causing a use-after-free condition. The severity is reflected in its CVSS score of 10.0, classifying it as a critical issue.
This vulnerability poses significant risks to organizations using Redis in production, as attackers can potentially gain unauthorized control over systems. The exposure of such a longstanding flaw underscores the importance of continuous security audits and patch management within widely used software frameworks. Prompt remediation is necessary to mitigate potential exploitation.
Redis users must urgently apply patches and review security configurations to prevent attacks leveraging this vulnerability. Future implications include increased scrutiny on database security and the need for improved safeguards in scripting capabilities embedded in database platforms.
👉 Pročitaj original: The Hacker News
