CVE-2025-49844
Publication date 3 October 2025
Last updated 20 October 2025
Ubuntu priority
Description
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Why is this CVE high priority?
This CVE is likely easy to exploit in the default configuration
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| redict | 25.10 questing |
Fixed 7.3.5+ds-1ubuntu0.1
|
| 25.04 plucky |
Fixed 7.3.2+ds-1ubuntu0.1
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| redis | 25.10 questing |
Fixed 5:8.0.2-3ubuntu0.25.10.1
|
| 25.04 plucky |
Fixed 5:7.0.15-3ubuntu0.1
|
|
| 24.04 LTS noble |
Fixed 5:7.0.15-1ubuntu0.24.04.2
|
|
| 22.04 LTS jammy |
Fixed 5:6.0.16-1ubuntu1.1
|
|
| 20.04 LTS focal |
Fixed 5:5.0.7-2ubuntu0.1+esm4
|
|
| 18.04 LTS bionic |
Fixed 5:4.0.9-1ubuntu0.2+esm6
|
|
| 16.04 LTS xenial |
Fixed 2:3.0.6-1ubuntu0.4+esm4
|
|
| 14.04 LTS trusty |
Fixed 2:2.8.4-2ubuntu0.2+esm5
|
|
| valkey | 25.10 questing |
Vulnerable
|
| 25.04 plucky |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.9 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7824-1
- Redis vulnerability
- 15 October 2025
- USN-7824-2
- Redict vulnerability
- 16 October 2025
- USN-7824-3
- Redis vulnerability
- 16 October 2025
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-49844
- https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q
- https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539 (8.2.2)
- https://github.com/valkey-io/valkey/commit/6dd003e88feace83e55491f32376f6927896e31e
- https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539
- https://github.com/redis/redis/releases/tag/8.2.2