Redis Cve-2025-49844: Use-After-Free May Lead to Remote Code Execution

Posted3 months agoActive3 months ago

khaled_ismaeel

20 points

13 comments

redis.ioTechstory

calmnegative

Debate

30/100

RedisSecurityCveVulnerability

Key topics

Redis

Security

Cve

Vulnerability

A use-after-free vulnerability (CVE-2025-49844) in Redis may lead to remote code execution, prompting discussion on its impact and mitigation strategies.

Snapshot generated from the HN discussion

Discussion Activity

Moderate engagement

First comment

Peak period

0-2h

Avg / period

3.3

Comment distribution13 data points

Loading chart...

Based on 13 loaded comments

Key moments

01Story posted
Oct 7, 2025 at 5:33 AM EDT
3 months ago
Step 01
02First comment
Oct 7, 2025 at 6:36 AM EDT
1h after posting
Step 02
03Peak activity
9 comments in 0-2h
Hottest window of the conversation
Step 03
04Latest activity
Oct 8, 2025 at 7:51 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (13 comments)

Showing 13 comments

jijji

3 months ago

3 replies

most people use redis on localhost (i hope)

johnbellone

3 months ago

2 replies

I’d imagine recent uptick in using services like Upstash may make it harder for people to know if they are vulnerable or not. Is this mitigated by disabling Lua script execution?

loloquwowndueo

3 months ago

Upstash wouldn’t be vulnerable - Upstash doesn’t run upstream redis, it’s a protocol-compatible proprietary implementation.

arnorhs

3 months ago

I would guess it is.

Also:

> Exploitation of this vulnerability requires an attacker to first gain authenticated access to your Redis instance.

benmmurphy

3 months ago

it used to possible to execute redis commands against localhost from the web browser using domain rebinding. but i think redis did something to the protocol to fix this. also, this is only really relevant for developers.

styluss

3 months ago

52,874 are connected to the internet according to Shodan.https://www.shodan.io/search?query=redis+product%3A%22Redis+... Not affiliated with them.

NicolaiS

3 months ago

1 reply

Note that this requires an authenticated user, so most redis installations are not directly at risk.

The github issue has these workarounds: > An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

I guess most people doesn't use the lua engine, so this is probably a good advice to disable even if upgrading to a non-vuln version of Redis.

alserio

3 months ago

I'd like to see stats about that. Lua scripts in Redis are one of its most useful feature

DarkNova6

3 months ago

1 reply

And this is why we need memory safety languages.

jacquesm

3 months ago

1 reply

Your last three comments are more or less exactly the same thing.

DarkNova6

3 months ago

Thank you for showing interest in my profile.

As you see you can’t fault me for being consistent, can you?

jacquesm

3 months ago

This was here already earlier today:

https://news.ycombinator.com/item?id=45497027

Also: "As part of an ongoing effort by Redis and the Redis community to maintain Redis’ safety, security, and compliance posture, a security vulnerability in Redis has been identified and remediated in the versions indicated below." seems to be a bit strange given that this wasn't an effort led by Redis?

normie3000

3 months ago

How does it work?

View full discussion on Hacker News

ID: 45501099Type: storyLast synced: 11/20/2025, 2:49:46 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN