CVE•Published 2025-10-03•2 articles on news•6 live references•NVD data

CVE-2025-49844

Vulnerability data via CVEDB (Shodan)

CVSS v3.1

9.9

CRITICAL

EPSS percentile

100

Exploit Prediction Scoring System · top 0% of all CVEs

Description

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Timeline

Published 2025-10-03

External references

NVD MITRE Exploit-DB Sploitus trickest/cve VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2025-49844

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product + version

product:"Lfprojects Valkey" version:"7.2.10"

Version-pinned fingerprint from NVD's first vulnerable CPE.

Shodan · banner/body mention

http.html:"Valkey"

HTTP body or banner mentions "Valkey" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2025-49844