CVE-2025-49844 – Redis Lua Parser Use-After-Free# CVE-2025-49844 – Redis Lua Parser Use-After-Free
Lua chunk-name GC race leading to Redis 8.2.1 use-after-free and remote code execution.
## Overview
Redis embeds Lua 5.1 for scripting. In versions up to 8.2.1 the `luaY_parser` function does NOT anchor the chunk name string on the Lua stack before invoking the lexer. A crafted script can trigger garbage collection while the parser still references the freed string, producing a UAF that leads to native code execution.
## Environment
- Redis server 8.2.1 (or any vulnerable release before 8.2.2)
- `redis-cli`
- Local network access to the Redis instance
## Files
- [`CVE-2025-49844.lua`](/CVE-2025-49844.lua) – hammer the parser with thousands of `loadstring` calls and a GC-enabled chunk name to win the race.
## Usage
```bash
while redis-cli -h localhost -p 6379 --eval CVE-2025-49844.lua >/dev/null; do
printf '.'
done
```
**Expected result:**
On vulnerable builds the Redis process eventually crashes or drops the connection. Patched 8.2.2 (commit [d5728cb5795c966c5b5b1e0f0ac576a7e69af539](https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539)) anchors the chunk name and the script runs harmlessly.
## Mitigation
Upgrade to Redis 8.2.2 or later, or disable Lua scripting for untrusted users.登录后查看神龙缓存的 POC 文件快照
登录查看