Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-49844 PoC — Redis Lua Use-After-Free may lead to remote code execution

Source
https://github.com/srozb/reditrap
Associated Vulnerability
Title:Redis Lua Use-After-Free may lead to remote code execution (CVE-2025-49844)
Description:Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Description
Minimal Redis honeypot detecting RediShell (CVE-2025-49844) exploits.
Readme
# RediTrap Honeypot

RediTrap is a minimal Redis honeypot tailored to spot early attempts to exploit
CVE-2025-49844 ("RediShell"), the critical Remote Code Execution vulnerability
described by Wiz Research. The exploit abuses a 13 year old use-after-free bug in
the embedded Lua engine: Redis would store the Lua chunk name without first
anchoring it on the stack, allowing a garbage collection cycle to reclaim the
string while C code still used the pointer. The Redis patch
[`d5728cb`](https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539)
fixes the issue by pushing the chunk name onto the Lua stack (via
`setsvalue2s`/`incr_top`) before parsing and popping it afterwards, preventing
the stale pointer and closing the RCE primitive.

Because the published exploit path relies on sending malicious Lua scripts via
`EVAL`, `EVALSHA`, or `SCRIPT LOAD`, the honeypot focuses on surfacing those
interactions while pretending to be an unpatched Redis node.

## What it does

- Listens on the Redis TCP port (`6379` by default) and speaks a small RESP
  subset so basic probes succeed (`PING`, `INFO`, `AUTH`, etc.).
- Logs every command to a JSON-lines log file, with extra context for Lua script
  activity (SHA-1 digest, length, token heuristics, preview).
- Flags script-oriented commands as suspicious and returns safe error replies so
  untrusted payloads never execute.
- Mimics older Redis behaviour (for example, rejecting `HELLO`) to encourage
  attackers to continue their workflow.

## Getting started

```bash
python3 reditrap.py --host 0.0.0.0 --port 6379 --log-file logs/redis-honeypot-events.ndjson
```

Use `--verbose` for additional stdout logging during development.

## Container usage

Build a compact image (Alpine base):

```bash
docker build -t reditrap .
# or: podman build -t reditrap .
```

Run it with the Redis port exposed and the log directory mounted on the host:

```bash
mkdir -p honeypot-logs
docker run -d --name reditrap \
  -p 6379:6379 \
  -v "$(pwd)/honeypot-logs:/data" \
  reditrap
```

The container defaults to `--host 0.0.0.0 --port 6379 --log-file
/data/redis-honeypot-events.ndjson`, so logs land on the host at
`honeypot-logs/redis-honeypot-events.ndjson`.

Podman works the same way (add the SELinux flag if applicable):

```bash
podman run -d --name reditrap \
  -p 6379:6379 \
  -v "$(pwd)/honeypot-logs:/data:Z" \
  reditrap
```

Override defaults by appending arguments after the image name, for example:

```bash
docker run --rm -p 6379:6379 reditrap --redis-version 7.0.15 --log-file /data/attempts.ndjson
```

## Inspecting events

Each incoming request becomes an NDJSON entry. Suspicious Lua activity includes
heuristics to make triage easier. For example:

```json
{
  "action": "lua_eval",
  "args": ["return debug.getregistry()", "0"],
  "command": "EVAL",
  "info": {
    "arg_count": 2,
    "heuristics": {
      "length": 26,
      "matched_tokens": ["debug."],
      "preview": "return debug.getregistry()"
    },
    "key_count": "0",
    "script_hash": "763200efa15885c9fa970d45cc2b11711c739c13"
  },
  "remote": {"host": "203.0.113.42", "port": 58231},
  "timestamp": "2025-10-07T15:04:12.123456+00:00"
}
```

Pair the logs with network telemetry to trace the attacking source and decide on
response actions.

## Safety notes

- The honeypot never executes received Lua scripts; it immediately returns an
  error string after logging the attempt.
- Large bulk strings are capped at 8 MiB and arrays at 128 elements to reduce
  memory pressure from malicious clients.
- Run the honeypot inside an isolated network segment and forward Redis port
  traffic to it using firewall rules, port mirroring, or NAT as appropriate for
  your environment.
File Snapshot

 [4.0K]  /data/pocs/925ca25088f37a402bc55439ed4ff2c317f0926e
├── [ 415]  Dockerfile
├── [1.0K]  LICENSE
├── [3.6K]  README.md
└── [ 16K]  reditrap.py

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →