A 13-year-old critical flaw in Redis servers, rated a perfect 10 out of 10 in severity, can let an authenticated user trigger remote code execution.

For anyone using Redis Cloud, the service has already been upgraded, with fixes, so no need to do anything. But for anyone using self-managed versions of the widely used in-memory database (OSS, CE, Stack, and Software versions): upgrade to the latest release listed here .

The security flaw, tracked as CVE-2025-49844 , affects all Redis versions with Lua scripting. It allows an authenticated attacker to send a malicious Lua script and manipulate the garbage collector – this is its memory management system intended to prevent memory leaks – and trigger a use-after-free that can potentially lead to remote code execution in the Redis server pro

See Full Page