A critical vulnerability has been found in Redis (CVE‑2025‑49844), the widely-used key-value store in web infrastructures. Dubbed RediShell, the flaw allows attackers to execute remote code by injecting malicious Lua scripts. The root cause lies in a use-after-free bug in Redis’s Lua scripting engine.
The CVSS score hits a maximum 10.0. All versions prior to Redis 8.2.2 are affected.
A massive attack surface
As of today, over 330,000 Redis instances are publicly accessible. Even worse, a recent investigation by Wiz revealed that around 60,000 of them require no authentication at all. Introduced over 13 years ago, the flaw remained exploitable under the radar until its recent disclosure.
What to do now?
To secure your environment immediately:
- Upgrade Redis to version 8.2.2 or newer.
- Restrict
EVALandEVALSHAcommands using ACLs. - Never expose Redis directly to the Internet.
- Enable a strong password if not already set.
- Review your logs for any suspicious Lua activity.
The vulnerability was officially published on October 3, 2025, along with a patch. Exploit tools already support this CVE — making swift action essential.
And if you want to learn more about configuring Redis for your Magento 2 setup, check out our article Magento 2 & Redis: Boosting Cache and Managing Sessions the Right Way