New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Very critical security bug in Redis - patch now
RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score
https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844
_This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host. _
Comments
This looks like it's a bad one and there's at least one POC of the exploit on Github already 😬
I haven't tested it but the example I'm looking at appears to work without auth, which would make it even worse than reported because it wouldn't require the attacker to authenticate before triggering the bug.
Thanks for sharing! Hard to keep track of every vulnerability. Lots of crazy ones lately.
This isn’t something most people need to worry about. For the average company if someone had authenticated access to your redis instance, it’s already game over.
There were always known ways to get RCE with authenticated redis access anyway, this is just a different way to go about it.
Are you sure? Please read the article and you'll see that about every installation is vulnerable. There is a reason for a 10 score.
Yes I’m sure. It says right there in the article
CVSS scores are mostly meaningless, you can make any bug basically any CVSS score you want depending on how you interpret it.
Ssssh you dont expect people to read articles do you? I mean its all just about the headline!!