FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

redis,valkey -- Lua Use-After-Free may lead to remote code execution

Affected packages
8.2.0 <= redis < 8.2.2
8.0.0 <= redis80 < 8.0.4
7.4.0 <= redis74 < 7.4.6
7.2.0 <= redis72 < 7.2.11
6.2.0 <= redis62 < 6.2.20
valkey < 8.1.4

Details

VuXML ID 17e85cae-a115-11f0-9446-f02f7497ecda
Discovery 2025-10-03
Entry 2025-10-04

redis reports:

An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

[source]

References

CVE Name CVE-2025-49844
URL https://nvd.nist.gov/vuln/detail/CVE-2025-49844

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.