CVE-2025-49844 — AI Deep Analysis Summary

🚨 **Essence**: Redis versions ≤ 8.2.1 suffer from a **Use-After-Free (UAF)** bug in the Lua parser. 🧠 **Mechanism**: A crafted Lua script triggers a race condition with the Garbage Collector (GC).…

🛡️ **CWE**: CWE-416 (Use-After-Free). 🔍 **Root Cause**: The `luaY_parser` function fails to **anchor the chunk name string** on the Lua stack before invoking the lexer.…

📦 **Vendor**: Redis (Open Source). 📉 **Affected Versions**: **Redis 8.2.1 and earlier**. ✅ **Fixed Version**: Redis 8.2.2+.…

💻 **Privileges**: Hackers gain **Remote Code Execution (RCE)**. 🔓 **Impact**: Full control over the Redis server process. 📂 **Data**: Can read/write any data accessible to the Redis instance.…

🔑 **Auth Required**: **Yes**. The CVSS vector `PR:L` indicates **Privileges Required: Low**. 🌐 **Access**: Attacker needs network access and valid credentials to run Lua scripts.…

🔥 **Public Exploits**: **YES**. Multiple PoCs exist: - `dwisiswant0/CVE-2025-49844` (Lua Parser UAF) - `raminfp/redis_exploit` (RediShell) - `srozb/reditrap` (Honeypot detection).…

🔍 **Self-Check**: - Check Redis version (`INFO SERVER`). - Use `dwisiswant0/CVE-2025-49844` scripts to test for UAF.…

🛠️ **Official Fix**: **YES**. Patched in **Redis 8.2.2**. 🔗 **Commit**: `d5728cb` fixes the issue by pushing the chunk name to the stack before parsing. 📢 **Advisory**: GHSA-4789-qfc9-5f9q confirms the fix.…

🚧 **No Patch Workaround**: - **Disable Lua scripting** if not needed (`lua-time-limit` or config changes). - **Restrict Network Access**: Block external access to Redis ports (6379).…

⚡ **Urgency**: **CRITICAL / IMMEDIATE**. 🚨 **Priority**: P0. - CVSS 10.0 score. - Active PoCs in the wild. - RCE impact. - Easy to exploit with low privileges. 📅 **Timeline**: Published Oct 3, 2025. Fix available.…