Redis CVE-2025-49844: Use-After-Free may lead to remote code execution (opens in new tab)

(redis.io)

20 pointskhaled_ismaeel5mo ago13 comments

13 comments

This was here already earlier today:

https://news.ycombinator.com/item?id=45497027

Also: "As part of an ongoing effort by Redis and the Redis community to maintain Redis’ safety, security, and compliance posture, a security vulnerability in Redis has been identified and remediated in the versions indicated below." seems to be a bit strange given that this wasn't an effort led by Redis?

NicolaiS5mo ago

Note that this requires an authenticated user, so most redis installations are not directly at risk.

The github issue has these workarounds: > An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

I guess most people doesn't use the lua engine, so this is probably a good advice to disable even if upgrading to a non-vuln version of Redis.

alserio5mo ago

I'd like to see stats about that. Lua scripts in Redis are one of its most useful feature

DarkNova65mo ago

And this is why we need memory safety languages.

jacquesm5mo ago

Your last three comments are more or less exactly the same thing.

DarkNova65mo ago

Thank you for showing interest in my profile.

As you see you can’t fault me for being consistent, can you?

normie30005mo ago

How does it work?

jijji5mo ago

most people use redis on localhost (i hope)

styluss5mo ago

52,874 are connected to the internet according to Shodan.https://www.shodan.io/search?query=redis+product%3A%22Redis+... Not affiliated with them.

johnbellone5mo ago

I’d imagine recent uptick in using services like Upstash may make it harder for people to know if they are vulnerable or not. Is this mitigated by disabling Lua script execution?

loloquwowndueo5mo ago

Upstash wouldn’t be vulnerable - Upstash doesn’t run upstream redis, it’s a protocol-compatible proprietary implementation.

arnorhs5mo ago

I would guess it is.

Also:

> Exploitation of this vulnerability requires an attacker to first gain authenticated access to your Redis instance.

benmmurphy5mo ago

it used to possible to execute redis commands against localhost from the web browser using domain rebinding. but i think redis did something to the protocol to fix this. also, this is only really relevant for developers.

j / k navigate · click thread line to collapse

13 comments

jacquesm5mo ago

This was here already earlier today:

https://news.ycombinator.com/item?id=45497027

NicolaiS5mo ago

Note that this requires an authenticated user, so most redis installations are not directly at risk.

I guess most people doesn't use the lua engine, so this is probably a good advice to disable even if upgrading to a non-vuln version of Redis.

alserio5mo ago

I'd like to see stats about that. Lua scripts in Redis are one of its most useful feature

DarkNova65mo ago

And this is why we need memory safety languages.

jacquesm5mo ago

Your last three comments are more or less exactly the same thing.

DarkNova65mo ago

Thank you for showing interest in my profile.

As you see you can’t fault me for being consistent, can you?

normie30005mo ago

How does it work?

jijji5mo ago

most people use redis on localhost (i hope)

styluss5mo ago

52,874 are connected to the internet according to Shodan.https://www.shodan.io/search?query=redis+product%3A%22Redis+... Not affiliated with them.

johnbellone5mo ago

I’d imagine recent uptick in using services like Upstash may make it harder for people to know if they are vulnerable or not. Is this mitigated by disabling Lua script execution?

loloquwowndueo5mo ago

Upstash wouldn’t be vulnerable - Upstash doesn’t run upstream redis, it’s a protocol-compatible proprietary implementation.

arnorhs5mo ago

I would guess it is.

Also:

> Exploitation of this vulnerability requires an attacker to first gain authenticated access to your Redis instance.

benmmurphy5mo ago

j / k navigate · click thread line to collapse