CVE-2025-49844CRITICAL 9.9EPSS p99.7%

CVE-2025-49844CVE-2025-49844

Description

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS86.27% probability of exploitation · percentile 99.7% · 2026-06-17T12:03:21Z
Published2025-10-03
Last modified2026-03-20

Underlying weaknesses· 1

CWE-416

References

  1. https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539
  2. https://github.com/redis/redis/releases/tag/8.2.2
  3. https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q
  4. http://www.openwall.com/lists/oss-security/2025/10/07/2
  5. https://github.com/lastvocher/redis-CVE-2025-49844

1

TypeTargetConfidenceTier
WeaknessUse After Freecwe-4160%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23631
CVE
CVE-2025-46817
CVE
CVE-2026-23479
CVE
CVE-2026-25243
CVE
CVE-2025-62507
CVE
Debian-specific Redis Server Lua Sandbox Escape Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.