Redis CVE-2025-49844: Use-After-Free may lead to remote code execution

https://redis.io/blog/security-advisory-cve-2025-49844/

20•khaled_ismaeel•4mo ago

Comments

normie3000•4mo ago

How does it work?

jijji•4mo ago

most people use redis on localhost (i hope)

johnbellone•4mo ago

I’d imagine recent uptick in using services like Upstash may make it harder for people to know if they are vulnerable or not. Is this mitigated by disabling Lua script execution?

arnorhs•4mo ago

I would guess it is.

Also:

> Exploitation of this vulnerability requires an attacker to first gain authenticated access to your Redis instance.

loloquwowndueo•4mo ago

Upstash wouldn’t be vulnerable - Upstash doesn’t run upstream redis, it’s a protocol-compatible proprietary implementation.

benmmurphy•4mo ago

it used to possible to execute redis commands against localhost from the web browser using domain rebinding. but i think redis did something to the protocol to fix this. also, this is only really relevant for developers.

styluss•4mo ago

52,874 are connected to the internet according to Shodan.https://www.shodan.io/search?query=redis+product%3A%22Redis+... Not affiliated with them.

NicolaiS•4mo ago

Note that this requires an authenticated user, so most redis installations are not directly at risk.

The github issue has these workarounds: > An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

I guess most people doesn't use the lua engine, so this is probably a good advice to disable even if upgrading to a non-vuln version of Redis.

alserio•4mo ago

I'd like to see stats about that. Lua scripts in Redis are one of its most useful feature

jacquesm•4mo ago

This was here already earlier today:

https://news.ycombinator.com/item?id=45497027

Also: "As part of an ongoing effort by Redis and the Redis community to maintain Redis’ safety, security, and compliance posture, a security vulnerability in Redis has been identified and remediated in the versions indicated below." seems to be a bit strange given that this wasn't an effort led by Redis?

DarkNova6•4mo ago

And this is why we need memory safety languages.

jacquesm•4mo ago

Your last three comments are more or less exactly the same thing.

DarkNova6•4mo ago

Thank you for showing interest in my profile.

As you see you can’t fault me for being consistent, can you?

Elon Musk on Space GPUs, AI, Optimus, and His Manufacturing Method

X (Twitter) is back with a new X API Pay-Per-Use model

Zlob.h 100% POSIX and glibc compatible globbing lib that is faste and better

Show HN: Deterministic signal triangulation using a fixed .72% variance constant

Scientists Discover Levitating Time Crystals You Can Hold, Defy Newton’s 3rd Law

When Michelangelo Met Titian

Solving NYT Pips with DLX

Baldur's Gate to be turned into TV series – without the game's developers

Interview with 'Just use a VPS' bro (OpenClaw version) [video]

EchoJEPA: Latent Predictive Foundation Model for Echocardiography

Disablling Go Telemetry

Effective Nihilism

The UK government didn't want you to see this report on ecosystem collapse

No 10 blocks report on impact of rainforest collapse on food prices

Seedance 2.0 Is Coming

Show HN: Fitspire – a simple 5-minute workout app for busy people (iOS)

Dexterous robotic hands: 2009 – 2014 – 2025

Interop 2025: A Year of Convergence

JobArena – Human Intuition vs. Artificial Intelligence

Concept Artists Say Generative AI References Only Make Their Jobs Harder

Show HN: PaySentry – Open-source control plane for AI agent payments

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

The Crumbling Workflow Moat: Aggregation Theory's Final Chapter

Pax Historia – User and AI powered gaming platform

Show HN: I built a RAG engine to search Singaporean laws

Scams, Fraud, and Fake Apps: How to Protect Your Money in a Mobile-First Economy

Porting Doom to My WebAssembly VM

Cognitive Style and Visual Attention in Multimodal Museum Exhibitions

Full-Blown Cross-Assembler in a Bash Script

Logic Puzzles: Why the Liar Is the Helpful One