CVE-2025-49844# 🚨 ALERT: Redis Exploit Detected — CVE-2025-49844 (RediShell)
---
🚨 **CVE-2025-49844 — “RediShell”**
---
**Severity:** 🔴 Critical — CVSS 9.9–10.0
**Type:** Use-After-Free → Remote Code Execution (RCE)
**Component:** Redis Lua Scripting Engine
**Status:** Patched in Redis 8.2.2
**Published:** October 2025
---
## 🧠 Overview
A critical memory corruption bug in Redis’s Lua scripting engine allows **authenticated attackers** to run specially crafted Lua scripts that trigger a **use-after-free** condition.
This breaks the Lua sandbox and enables **native code execution on the host**, leading to **full system compromise**.
Redis instances with Lua scripting enabled (default in many builds) are widely exposed, making this vulnerability extremely high risk.
---
## ⚙️ Technical Summary
**Root cause:** Unsafe memory reuse in Lua garbage collector handling of freed objects.
**Trigger:** Crafted Lua scripts executed via `EVAL` or `EVALSHA`.
**Impact:** Sandbox escape → native code execution → host takeover.
**Authentication:** Required (or bypassed via misconfiguration).
**Exploitation complexity:** Low once access obtained.
```
Attack Flow Diagram
──────────────────────────────
[Authenticated Access]
↓
[Malicious Lua Script]
↓
[Use-After-Free Trigger]
↓
[Sandbox Escape → RCE]
↓
[Host Compromise]
──────────────────────────────
```
---
## 🧩 Affected Versions
| Branch | Vulnerable | Fixed |
|---------|-------------|--------|
| 8.x | ≤ 8.2.1 | 8.2.2 |
| 8.0.x | ≤ 8.0.3 | 8.0.4 |
| 7.4.x | ≤ 7.4.5 | 7.4.6 |
| 7.2.x | ≤ 7.2.10 | 7.2.11 |
**Redis forks or enterprise builds** that include Lua scripting are likely impacted.
---
## 📉 Impact Summary
- Remote Code Execution (RCE)
- Complete host compromise
- Data theft or tampering
- Potential lateral movement inside networks
- Redis service crashes or instability
---
## 🕓 Disclosure Timeline
- Vulnerability identified mid-2025
- Official advisory and patches released October 2025
- Security research write-ups and PoC demos appeared shortly after
- Active scanning observed within weeks of disclosure
---
## 🔎 Indicators of Compromise (IoCs)
- Unexpected or excessive `EVAL` / `EVALSHA` usage
- Redis crashes mentioning `lua_gc`, `scripting.c`, or segmentation faults
- Redis processes spawning unexpected shells or binaries
- Outbound network connections from Redis host
- Newly created Redis users or ACL changes
- Unrecognized Lua scripts or stored keys
---
## 🧰 Detection & Verification
**Check Redis version**
```
redis-cli INFO server | grep redis_version
```
**Search logs for script execution**
```
grep -i "EVAL" /var/log/redis/*.log
```
**Check for crashes**
```
journalctl -u redis.service | grep -E "lua_gc|segfault"
```
**Inspect running processes / network**
```
ps aux | grep redis
ss -tuna | grep redis
```
---
## 🛠 Mitigation & Workarounds
### 🔹 Immediate (0–24 hours)
1. **Upgrade to Redis 8.2.2 or newer.**
2. **Disable scripting** for untrusted users:
```
ACL SETUSER default -EVAL -EVALSHA
```
3. **Require authentication** — enforce `requirepass` or ACL logins.
4. **Restrict network access** — allow only trusted internal IPs/VPNs.
5. **Run Redis as a non-root user** to reduce impact.
### 🔹 Short Term (1–7 days)
- Inventory all Redis deployments.
- Rotate passwords and keys.
- Increase logging around scripting commands.
- Block public network exposure entirely.
### 🔹 Long Term (1–4 weeks)
- Patch and rebuild all Redis instances.
- Harden configurations (no public access, least-privilege ACLs).
- Implement continuous version scanning and alerting.
- Conduct red/blue team exercises simulating RediShell exploitation.
---
## 🧭 Incident Response Checklist
1. **Isolate** affected host(s) immediately.
2. **Preserve evidence:** memory dump, Redis logs, RDB/AOF files, system logs.
3. **Search** for indicators of unauthorized Lua execution or spawned shells.
4. **Rebuild** from clean image if any compromise suspected.
5. **Rotate** credentials and review ACL changes.
6. **Notify** internal stakeholders and update incident records.
---
## 💡 Risk & Priority Assessment
| Category | Rating | Notes |
|-----------|--------|-------|
| Exploitability | 🔥 High | Public PoCs exist |
| Impact | 💀 Severe | Full host compromise |
| Exposure | 🌐 Widespread | Many open Redis instances |
| Urgency | 🚨 Immediate | Patch or mitigate now |
---
## 🧾 Summary Table
| Item | Detail |
|------|--------|
| CVE ID | CVE-2025-49844 |
| Codename | RediShell |
| Type | Use-After-Free / RCE |
| CVSS | 9.9 – 10.0 (Critical) |
| Attack Vector | Authenticated Lua Script |
| Impact | Sandbox Escape, Host Compromise |
| Fix | Redis 8.2.2 + |
| Workaround | Disable EVAL / EVALSHA |
| Detection Focus | EVAL activity, Lua crashes |
| Risk Level | 🚨 Critical |
---
## 🎨 Aesthetic Design Notes
- **Layout:** two-column format; left = summary and impact, right = mitigation and detection.
- **Palette:** charcoal background, red accent headers, white text blocks.
- **Typography:** *Inter / Roboto* for clarity; use monospace for commands.
- **Icons:** ⚠️ for risk, 🧠 for info, 🛠 for actions, 🔎 for detection.
- **Visual elements:**
- Attack-flow diagram (see above)
- Severity badge with red gradient
- Timeline bar (Discovery → Patch → Advisory)
- Boxed “Immediate Actions” section
---
## 🧩 Key Takeaways
- Redis Lua scripting can be exploited to achieve RCE.
- Patch all Redis servers to **8.2.2 or higher** immediately.
- Restrict `EVAL` access and limit network exposure.
- Monitor for abnormal Lua usage or crashes.
- Treat unpatched servers as **high-risk assets**.
---
[4.0K] /data/pocs/fa9ce34dea709027b8e0ac3332667167ae57737d
└── [5.9K] README.md
1 directory, 1 file