CVE-2025-49844

CRITICAL EXPLOITED RANSOMWARE NUCLEI LAB

Redis < 6.2.20, 8.2.1-8.2.2 - Authenticated Use-After-Free via Lua Script Garbage Collector Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-49844 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 26 public exploits from researchers including raminfp, Yuri08loveElaina, saneki. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2025-49844 (RediShell), a Use-After-Free vulnerability in Redis's Lua interpreter. It includes a Dockerized vulnerable Redis instance (7.2.0) and a Python script to demonstrate the vulnerability through various test modes.

Description

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Exploits (26)

github WORKING POC 326 stars
by raminfp · pythondos
https://github.com/raminfp/redis_exploit

This repository contains a functional proof-of-concept exploit for CVE-2025-49844 (RediShell), a Use-After-Free vulnerability in Redis's Lua interpreter. It includes a Dockerized vulnerable Redis instance (7.2.0) and a Python script to demonstrate the vulnerability through various test modes.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Redis versions before 8.2.2, 8.0.4, 7.4.6, and 7.2.11
No auth needed
Prerequisites: Docker and Docker Compose installed · Python dependencies (redis, colorama)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 64 stars
by Yuri08loveElaina · pythonpoc
https://github.com/Yuri08loveElaina/CVE-2025-49844

This repository contains a functional exploit for CVE-2025-49844, targeting a Use-After-Free (UAF) vulnerability in the Redis Lua interpreter. The exploit includes techniques for bypassing ASLR and DEP/NX, heap spraying, and executing arbitrary shellcode to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Redis 7.2.x before 7.2.11, Redis 7.4.x before 7.4.6, Redis 8.0.x before 8.0.4, Redis 8.2.x before 8.2.2
Auth required
Prerequisites: Python 3.6+ · Redis server with vulnerable version · Network access to target Redis instance · Optional: Redis authentication credentials
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 23 stars
by saneki · remote
https://github.com/saneki/cve-2025-49844

This repository contains a functional proof-of-concept exploit for CVE-2025-49844 (RediShell), targeting Redis 8.2.1 on Alpine and Bookworm Docker images. The exploit leverages Lua script manipulation and garbage collection to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Redis 8.2.1 (Alpine and Bookworm)
No auth needed
Prerequisites: Access to Redis server on port 6379 · Redis server running vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 13 stars
by lastvocher · pythonpoc
https://github.com/lastvocher/redis-CVE-2025-49844

This repository contains a functional proof-of-concept exploit for CVE-2025-49844 (RediShell), a Use-After-Free vulnerability in Redis's Lua interpreter. It includes a Dockerized vulnerable Redis instance (7.2.0) and a Python script to demonstrate the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Redis versions before 8.2.2, 8.0.4, 7.4.6, and 7.2.11
No auth needed
Prerequisites: Docker and Docker Compose installed · Python dependencies (redis, colorama)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-49844

The repository contains a functional exploit for CVE-2025-49844, a critical use-after-free vulnerability in Redis' Lua scripting engine, enabling authenticated attackers to achieve remote code execution via crafted Lua scripts.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Redis (versions before 6.2.20, 7.2.11, 7.4.6, 8.0.4, 8.2.2)
Auth required
Prerequisites: Authenticated Redis access · Lua scripting enabled
devstral-2 · analyzed Mar 10, 2026 Full analysis →
github WORKING POC 6 stars
by pedrorichil · pythonpoc
https://github.com/pedrorichil/CVE-2025-49844

This repository contains a functional exploit PoC for CVE-2025-49844 (RediShell), a Use-After-Free vulnerability in Redis's Lua interpreter leading to remote code execution. It includes a Dockerized vulnerable Redis instance (7.2.0) and a Python script to demonstrate the exploit.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Redis versions before 8.2.2, 8.0.4, 7.4.6, and 7.2.11
No auth needed
Prerequisites: Docker and Docker Compose installed · Python dependencies (redis, colorama)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 4 stars
by ctkqiang · gopoc
https://github.com/ctkqiang/CVE-Exploits/tree/main/CVE-2025-49844

This Lua script exploits a use-after-free vulnerability in Redis by repeatedly loading and garbage-collecting functions with large chunk names, triggering a crash. It is designed to be executed via `redis-cli --eval` and includes mechanisms to increase memory pressure and race conditions.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Racy
Target: Redis (version not specified)
Auth required
Prerequisites: Access to Redis CLI with script execution privileges
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec STUB 2 stars
by ksnnd32 · poc
https://github.com/ksnnd32/redis_exploit

The repository contains Python scripts for audio feature extraction (MFCC) and CSV processing, but no exploit code or technical details related to CVE-2025-49844. The files appear unrelated to Redis or any exploit.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github SCANNER 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-49844

The repository contains a scanner for CVE-2024-21762, a Fortinet SSL VPN vulnerability, which checks for the presence of the vulnerability without exploiting it. It includes Python scripts to send crafted HTTP requests and analyze responses to determine if a target is vulnerable.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Fortinet SSL VPN
No auth needed
Prerequisites: network access to the target · SSL/TLS connectivity
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC 2 stars
by MiclelsonCN · pythonpoc
https://github.com/MiclelsonCN/CVE-2025-49844_POC

This repository contains a functional PoC for CVE-2025-49844, demonstrating a Use-After-Free (UAF) vulnerability in Redis' Lua scripting engine. The exploit includes multiple modes to test basic UAF triggers, sandbox escape attempts, and memory corruption patterns.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Redis (versions 7.2.x < 7.2.11, 7.4.x < 7.4.6, 8.0.x < 8.0.4, 8.2.x < 8.2.2)
Auth required
Prerequisites: Redis instance with Lua scripting enabled · Authentication credentials if applicable
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github SCANNER 1 stars
by angelusrivera · gopoc
https://github.com/angelusrivera/CVE-2025-49844

This repository contains a Go-based scanner for detecting CVE-2025-49844, a use-after-free vulnerability in Redis versions 8.2.1 and older. The scanner checks for vulnerable Redis instances by testing Lua script execution capabilities but does not include exploit code.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Redis versions 8.2.1 and older
Auth required
Prerequisites: Network access to Redis server · Lua scripting enabled on target Redis instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github SCANNER 1 stars
by imbas007 · pythonpoc
https://github.com/imbas007/CVE-2025-49844-Vulnerability-Scanner

This repository contains a Python-based scanner for detecting CVE-2025-49844, a vulnerability in Redis. The tool checks for vulnerable Redis versions and Lua scripting capabilities but does not include exploit code.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Redis versions 6.0.0-6.0.16, 6.2.0-6.2.13, 7.0.0-7.0.12, 7.2.0-7.2.10
No auth needed
Prerequisites: Network access to Redis instances · Redis instances exposed on default or custom ports
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github SCANNER 1 stars
by Mufti22 · pythondos
https://github.com/Mufti22/CVE-2025-49844-RediShell-Vulnerability-Scanner

This repository contains a Python-based scanner for detecting CVE-2025-49844, a Use-After-Free vulnerability in Redis' Lua interpreter. It checks for vulnerable versions, Lua scripting capabilities, and authentication requirements without exploiting the vulnerability.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Redis (versions 6.0.0-6.2.20, 7.0.0-7.2.11, 7.4.0-7.4.6, 8.0.0-8.0.4, 8.2.0-8.2.2)
No auth needed
Prerequisites: Network access to Redis instance · Redis instance running a vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github SCANNER 1 stars
by srozb · pythonpoc
https://github.com/srozb/reditrap

This repository contains a Redis honeypot designed to detect exploitation attempts targeting CVE-2025-49844 (RediShell), a critical RCE vulnerability in Redis' Lua engine. The honeypot logs Lua script execution attempts without executing them, providing detailed telemetry for analysis.

Classification
Scanner 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Redis (versions affected by CVE-2025-49844)
No auth needed
Prerequisites: Network access to Redis port (6379) · Unpatched Redis instance vulnerable to CVE-2025-49844
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC
by cc3305 · pythonremote-auth
https://github.com/cc3305/CVE-2025-49844

This repository contains a functional exploit for CVE-2025-49844, a use-after-free vulnerability in Redis's Lua scripting engine. The exploit leverages garbage collection manipulation to achieve remote code execution on vulnerable Redis versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Redis (versions 6.2 before 6.2.20, 7.2 before 7.2.11, 7.4 before 7.4.6, 8.0 before 8.0.4, 8.2 before 8.2.2)
Auth required
Prerequisites: Authenticated access to Redis · Lua scripting enabled · Specific binary layout and build IDs
devstral-2 · analyzed Jun 16, 2026 Full analysis →
nomisec WORKING POC
by open-flaw · dos
https://github.com/open-flaw/CVE-2025-49844

The repository contains functional exploit code for CVE-2025-49844, targeting a buffer overflow in Redis via the XACKDEL command. The PoC demonstrates a crash by sending maliciously crafted stream IDs, leveraging a vulnerability in Redis 7.2.0 or 8.2.x.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Redis 7.2.0 or 8.2.x
No auth needed
Prerequisites: Redis server with vulnerable version · Network access to Redis port (6379)
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by dajneem23 · poc
https://github.com/dajneem23/CVE-2025-49844

This repository contains functional exploit code for CVE-2025-49844, targeting a buffer overflow vulnerability in Redis. The PoC demonstrates a crash via crafted XACKDEL commands with excessive stream IDs, and includes additional scripts for exploitation and environment setup.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Redis 7.2.0 (and potentially other versions)
No auth needed
Prerequisites: Network access to Redis server · Redis server with vulnerable version
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by Cilectiy · remote
https://github.com/Cilectiy/CVE-2025-49844

This repository contains a functional proof-of-concept exploit for CVE-2025-49844, targeting Redis. The exploit leverages memory corruption to achieve remote code execution (RCE) via crafted Lua closures and shellcode injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Redis (version not explicitly specified in the provided code)
No auth needed
Prerequisites: Network access to the Redis instance · Redis configured to allow Lua script execution
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2025-49844

The repository contains a functional exploit for CVE-2025-49844, a critical use-after-free vulnerability in Redis' Lua scripting engine, enabling authenticated attackers to achieve remote code execution via crafted Lua scripts.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Redis (versions before 6.2.20, 7.2.11, 7.4.6, 8.0.4, 8.2.2)
Auth required
Prerequisites: authenticated Redis access · Lua scripting enabled
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by 0xAshwesker · poc
https://github.com/0xAshwesker/CVE-2025-49844

The repository contains a functional exploit for CVE-2025-49844, a critical use-after-free vulnerability in Redis' Lua scripting engine, enabling authenticated attackers to achieve remote code execution via crafted Lua scripts.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Redis (versions before 6.2.20, 7.2.11, 7.4.6, 8.0.4, 8.2.2)
Auth required
Prerequisites: authenticated Redis access · Lua scripting enabled
devstral-2 · analyzed Mar 10, 2026 Full analysis →
gitlab WORKING POC
by patricnilackshan · poc
https://gitlab.com/patricnilackshan/redis_exploit

This repository contains a functional PoC for CVE-2025-49844 (RediShell), a Use-After-Free vulnerability in Redis's Lua interpreter leading to RCE. It includes a Dockerized vulnerable Redis instance (7.2.0) and a Python exploit script demonstrating the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Redis versions before 8.2.2, 8.0.4, 7.4.6, 7.2.11
No auth needed
Prerequisites: Docker · Python 3 · Redis 7.2.0 (vulnerable version)
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by Zain3311 · poc
https://github.com/Zain3311/CVE-2025-49844

The repository contains a functional exploit PoC for CVE-2025-49844, demonstrating SQL injection vulnerabilities in the DesiShop application. The vulnerable code is present in the HomeController.cs file, where user input is directly interpolated into SQL queries without proper sanitization.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: DesiShop (version not specified)
No auth needed
Prerequisites: Access to the DesiShop application · Ability to send crafted HTTP requests to the vulnerable endpoints
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by zbyszkok · poc
https://github.com/zbyszkok/CVE-2025-49844-RediShell-AI-made-Revshell

This repository contains a functional exploit PoC for CVE-2025-49844, targeting a use-after-free vulnerability in the Redis Lua interpreter. The exploit attempts to restore the 'print' function by calling 'luaopen_base' and includes multiple iterative attempts to achieve code execution.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Redis (version not explicitly specified, likely 8.2.2 or earlier)
No auth needed
Prerequisites: Redis server with Lua scripting enabled · Base address of the Redis binary (obtained via GDB) · Network access to the Redis server
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by Network-Sec · poc
https://github.com/Network-Sec/CVE-2025-49844-RediShell-AI-made-Revshell

This repository contains a functional exploit PoC for CVE-2025-49844, targeting a use-after-free vulnerability in the Redis Lua interpreter. The exploit attempts to restore the 'print' function by calling 'luaopen_base' and includes multiple iterative attempts to achieve code execution.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Redis (version not explicitly specified, likely 8.2.2 or earlier)
No auth needed
Prerequisites: Redis server with Lua scripting enabled · Base address of the Redis binary (obtained via GDB)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github SCANNER
by gopinaath · shellpoc
https://github.com/gopinaath/CVE-2025-49844-discovery

This repository contains scripts to audit AWS ElastiCache Redis/Valkey clusters for network exposure, specifically checking for internet-facing configurations via IGW routes. It does not exploit CVE-2025-49844 but scans for potential misconfigurations that could be leveraged in an attack.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: AWS ElastiCache Redis/Valkey
Auth required
Prerequisites: AWS CLI configured with appropriate credentials · jq installed · Access to target AWS accounts
devstral-2 · analyzed Feb 19, 2026 Full analysis →
vulncheck_xdb WORKING POC
dos
https://github.com/elyasbassir/CVE-2025-49844

The repository contains a functional Lua script exploiting CVE-2025-49844, a use-after-free vulnerability in Redis's Lua parser. The PoC manipulates garbage collection to trigger a crash or potential RCE by reusing freed chunk names during parsing.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Redis (versions below 8.2.2)
No auth needed
Prerequisites: Redis server with Lua scripting enabled · Network access to Redis instance
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Redis Lua Parser < 8.2.2 - Use After Free
CRITICALVERIFIEDby pussycat0x
Shodan: product:"redis"

References (5)

Core 5

Scores

CVSS v3 9.9
EPSS 0.8627
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull redis:8.2.1-alpine
docker pull redis:8.2.1-bookworm
docker pull redis:7.2.0
+23 more repos

Details

VulnCheck KEV 2025-12-23
Ransomware Use Confirmed
CWE
CWE-416
Status published
Products (3)
lfprojects/valkey < 7.2.11
redis/redis < 6.2.20
redis/redis < 8.2.2
Published Oct 03, 2025
Tracked Since Feb 18, 2026