CVE-2025-49844 PoC — Redis Lua Use-After-Free may lead to remote code execution

Source

Associated Vulnerability

Description

CVE-2025-49844

Readme

# 🚨 ALERT: Redis Exploit Detected — CVE-2025-49844 (RediShell)
---
🚨 **CVE-2025-49844 — “RediShell”**
---
**Severity:** 🔴 Critical — CVSS 9.9–10.0  
**Type:** Use-After-Free → Remote Code Execution (RCE)  
**Component:** Redis Lua Scripting Engine  
**Status:** Patched in Redis 8.2.2  
**Published:** October 2025  
---

## 🧠 Overview
A critical memory corruption bug in Redis’s Lua scripting engine allows **authenticated attackers** to run specially crafted Lua scripts that trigger a **use-after-free** condition.  
This breaks the Lua sandbox and enables **native code execution on the host**, leading to **full system compromise**.

Redis instances with Lua scripting enabled (default in many builds) are widely exposed, making this vulnerability extremely high risk.

---

## ⚙️ Technical Summary
**Root cause:** Unsafe memory reuse in Lua garbage collector handling of freed objects.  
**Trigger:** Crafted Lua scripts executed via `EVAL` or `EVALSHA`.  
**Impact:** Sandbox escape → native code execution → host takeover.  
**Authentication:** Required (or bypassed via misconfiguration).  
**Exploitation complexity:** Low once access obtained.

```
Attack Flow Diagram
──────────────────────────────
[Authenticated Access]
        ↓
[Malicious Lua Script]
        ↓
[Use-After-Free Trigger]
        ↓
[Sandbox Escape → RCE]
        ↓
[Host Compromise]
──────────────────────────────
```

---

## 🧩 Affected Versions
| Branch | Vulnerable | Fixed |
|---------|-------------|--------|
| 8.x | ≤ 8.2.1 | 8.2.2 |
| 8.0.x | ≤ 8.0.3 | 8.0.4 |
| 7.4.x | ≤ 7.4.5 | 7.4.6 |
| 7.2.x | ≤ 7.2.10 | 7.2.11 |

**Redis forks or enterprise builds** that include Lua scripting are likely impacted.

---

## 📉 Impact Summary
- Remote Code Execution (RCE)  
- Complete host compromise  
- Data theft or tampering  
- Potential lateral movement inside networks  
- Redis service crashes or instability  

---

## 🕓 Disclosure Timeline
- Vulnerability identified mid-2025  
- Official advisory and patches released October 2025  
- Security research write-ups and PoC demos appeared shortly after  
- Active scanning observed within weeks of disclosure  

---

## 🔎 Indicators of Compromise (IoCs)
- Unexpected or excessive `EVAL` / `EVALSHA` usage  
- Redis crashes mentioning `lua_gc`, `scripting.c`, or segmentation faults  
- Redis processes spawning unexpected shells or binaries  
- Outbound network connections from Redis host  
- Newly created Redis users or ACL changes  
- Unrecognized Lua scripts or stored keys  

---

## 🧰 Detection & Verification
**Check Redis version**
```
redis-cli INFO server | grep redis_version
```

**Search logs for script execution**
```
grep -i "EVAL" /var/log/redis/*.log
```

**Check for crashes**
```
journalctl -u redis.service | grep -E "lua_gc|segfault"
```

**Inspect running processes / network**
```
ps aux | grep redis
ss -tuna | grep redis
```

---

## 🛠 Mitigation & Workarounds

### 🔹 Immediate (0–24 hours)
1. **Upgrade to Redis 8.2.2 or newer.**  
2. **Disable scripting** for untrusted users:
   ```
   ACL SETUSER default -EVAL -EVALSHA
   ```
3. **Require authentication** — enforce `requirepass` or ACL logins.  
4. **Restrict network access** — allow only trusted internal IPs/VPNs.  
5. **Run Redis as a non-root user** to reduce impact.

### 🔹 Short Term (1–7 days)
- Inventory all Redis deployments.  
- Rotate passwords and keys.  
- Increase logging around scripting commands.  
- Block public network exposure entirely.  

### 🔹 Long Term (1–4 weeks)
- Patch and rebuild all Redis instances.  
- Harden configurations (no public access, least-privilege ACLs).  
- Implement continuous version scanning and alerting.  
- Conduct red/blue team exercises simulating RediShell exploitation.  

---

## 🧭 Incident Response Checklist
1. **Isolate** affected host(s) immediately.  
2. **Preserve evidence:** memory dump, Redis logs, RDB/AOF files, system logs.  
3. **Search** for indicators of unauthorized Lua execution or spawned shells.  
4. **Rebuild** from clean image if any compromise suspected.  
5. **Rotate** credentials and review ACL changes.  
6. **Notify** internal stakeholders and update incident records.  

---

## 💡 Risk & Priority Assessment
| Category | Rating | Notes |
|-----------|--------|-------|
| Exploitability | 🔥 High | Public PoCs exist |
| Impact | 💀 Severe | Full host compromise |
| Exposure | 🌐 Widespread | Many open Redis instances |
| Urgency | 🚨 Immediate | Patch or mitigate now |

---

## 🧾 Summary Table
| Item | Detail |
|------|--------|
| CVE ID | CVE-2025-49844 |
| Codename | RediShell |
| Type | Use-After-Free / RCE |
| CVSS | 9.9 – 10.0 (Critical) |
| Attack Vector | Authenticated Lua Script |
| Impact | Sandbox Escape, Host Compromise |
| Fix | Redis 8.2.2 + |
| Workaround | Disable EVAL / EVALSHA |
| Detection Focus | EVAL activity, Lua crashes |
| Risk Level | 🚨 Critical |

---

## 🎨 Aesthetic Design Notes
- **Layout:** two-column format; left = summary and impact, right = mitigation and detection.  
- **Palette:** charcoal background, red accent headers, white text blocks.  
- **Typography:** *Inter / Roboto* for clarity; use monospace for commands.  
- **Icons:** ⚠️ for risk, 🧠 for info, 🛠 for actions, 🔎 for detection.  
- **Visual elements:**  
  - Attack-flow diagram (see above)  
  - Severity badge with red gradient  
  - Timeline bar (Discovery → Patch → Advisory)  
  - Boxed “Immediate Actions” section  

---

## 🧩 Key Takeaways
- Redis Lua scripting can be exploited to achieve RCE.  
- Patch all Redis servers to **8.2.2 or higher** immediately.  
- Restrict `EVAL` access and limit network exposure.  
- Monitor for abnormal Lua usage or crashes.  
- Treat unpatched servers as **high-risk assets**.

---

File Snapshot

 [4.0K]  /data/pocs/fa9ce34dea709027b8e0ac3332667167ae57737d
└── [5.9K]  README.md

1 directory, 1 file

Remarks