Redis has revealed the details of maximum-seriousness safety defects in its in-memory database software, resulting in distance code execution under certain circumstances.
Pulpy, tracked as Cve-2025-49844 (Aka Radishel), a CVSS score of 10.0 has been assigned.
“A certified user can use a specially designed LUA script to manipulate the garbage collector, trigger an use-free-free, and potentially lead to remote code execution,” according to a Github consultant for the issue. “The problem is present in all versions of radice with lua scripting.”
However, to succeed in exploitation, it requires an attacker, first to have a redis example to achieve certified access, making it important that users do not leave their redis examples in contact with the Internet and secure them with strong authentication.
The issue affects all versions of Redis. It is addressed in editions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 October 2025.
As a temporary work -round until a patch is implemented, it is advisable that users are advised to prevent the LUA script by setting an access control list (ACL) to restrict Eval and Evalsha commands. It is also important that only reliable identity can only run the Lua script or any other possible risk -filled command.
The Cloud Security Company Vij, who discovered and informed the blame to Radis on 16 May, 2025, described it as a use-free (UAF) memory corruption bug that is present in the Radice Source Code for about 13 years.
https://www.youtube.com/watch?v=yobt8irvao0
This essentially allows an attacker to send a malicious Lua script, which leads to arbitrary code execution outside the Radis Lua interpreter sandbox, providing them unauthorized access to the underlying hosts. In the scenario of an imaginary attack, it can be leveraged to steal pivot for credentials, drop malware, exfiltrate sensitive data, or other cloud services.
“This defect allows a post Aath attacker to escape a specially designed malicious Lua script (a feature supported in Radice) to avoid the Lua Sandbox and send it to obtain arbitrary native code execution on the radice host,” said Vij said. “It provides complete access to an attacker host system, allowing them to erase sensitive data, abduct resources, wipe or encrypt, and facilitate lateral movement within the cloud environment.”
While there is no evidence that vulnerability was ever exploited in the wild, radice instance is an attractive goal for actors with danger to conduct cryptocing attacks and list them in a botnet. As a writing, there are about 330,000 radice examples in contact with the Internet, about 60,000 of which lack any authentication.
“With hundreds of exposed examples around the world, this vulnerability is an important threat to organizations in all industries,” Vij said. “Communication, combination of default unprotected configuration, and severity of vulnerability creates an immediate requirement for immediate treatment.”
