CVE-2025-49844 – Redis Lua Parser Use-After-Free# CVE-2025-49844 – Redis Lua Parser Use-After-Free
Lua chunk-name GC race leading to Redis 8.2.1 use-after-free and remote code execution.
## Overview
Redis embeds Lua 5.1 for scripting. In versions up to 8.2.1 the `luaY_parser` function does NOT anchor the chunk name string on the Lua stack before invoking the lexer. A crafted script can trigger garbage collection while the parser still references the freed string, producing a UAF that leads to native code execution.
## Environment
- Redis server 8.2.1 (or any vulnerable release before 8.2.2)
- `redis-cli`
- Local network access to the Redis instance
## Files
- [`CVE-2025-49844.lua`](/CVE-2025-49844.lua) – hammer the parser with thousands of `loadstring` calls and a GC-enabled chunk name to win the race.
## Usage
```bash
while redis-cli -h localhost -p 6379 --eval CVE-2025-49844.lua >/dev/null; do
printf '.'
done
```
**Expected result:**
On vulnerable builds the Redis process eventually crashes or drops the connection. Patched 8.2.2 (commit [d5728cb5795c966c5b5b1e0f0ac576a7e69af539](https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539)) anchors the chunk name and the script runs harmlessly.
## Mitigation
Upgrade to Redis 8.2.2 or later, or disable Lua scripting for untrusted users.
[4.0K] /data/pocs/47a66614a1f0059a86746be26e27451c24cf0ca4
├── [1.1K] CVE-2025-49844.lua
└── [1.3K] README.md
1 directory, 2 files