Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances.
The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0.
“An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free,