This article explains a critical Remote Code Execution (RCE) vulnerability, CVE-2025-49844, which has been identified in Redis. On October 5th, a critical security vulnerability affecting all Redis versions was uncovered, allowing an attacker to send, post-authentication, a specially crafted Lua script that can escape the Lua sandbox and execute arbitrary code on the Redis host. A patch is available for major versions 6, 7, and 8.
Scope
Affected Versions: All.
Attack Vector: This vulnerability allows for remote code execution on servers or containers with Redis installed via a specially crafted Lua script.
Potential Impact: Unauthorized remote code execution on Redis hosts.
Solution
To mitigate this vulnerability, Redis users should immediately update to one of the following fixed versions or newer: v6.2.20, v7.2.11, v7.4.6, v8.0.4, v8.2.2.
Lacework FortiCNAPP automatically detects this vulnerability via the Vulnerability Management module when Redis is installed via a package manager on a host or container.
FortiCNAPP also detects usage of the official Redis Docker image via alerts and will escalate the alert severity to 'Critical' when this exploit is detected to be actively in use.
