CVE-2025-49844 is a critical (CVSS 9.9) Redis vulnerability that allows an authenticated user to run a specially crafted Lua script, manipulate the garbage collector (use-after-free), and potentially achieve remote code execution (RCE). It affects all Redis versions with Lua scripting enabled. The official fix is in Redis 8.2.2. On Ubuntu, patched packages are available for 24.04 (noble), 25.04 (plucky) and 25.10 (questing); 22.04 (jammy) is currently listed as vulnerable pending Canonical’s update.
If you use RunCloud: Redis on RunCloud servers is managed and updated by Ubuntu’s repositories, not by RunCloud. If Security Updates are enabled in your RunCloud Dashboard (enabled by default), your server will automatically receive Ubuntu’s patched Redis package once it’s published. Until then, follow Ubuntu’s temporary mitigation: block EVAL and EVALSHA (or the entire @scripting ACL category).
1) Who is affected?
- Software: Redis with Lua scripting exposed (EVAL / EVALSHA).
- Impact: With credentials (e.g., after
AUTH), an attacker can load a crafted Lua script to trigger a use-after-free and escalate to RCE. - Scope: All Redis versions that allow Lua scripting.
- Upstream fix: Redis 8.2.2.
- Ubuntu status (per Canonical):
- 25.10 (questing): Fixed (
redis 5:8.0.2-3ubuntu0.25.10.1/redict 7.3.5+ds-1ubuntu0.1). - 25.04 (plucky): Fixed (
redis 5:7.0.15-3ubuntu0.1/redict 7.3.2+ds-1ubuntu0.1). - 24.04 LTS (noble): Fixed (
redis 5:7.0.15-1ubuntu0.24.04.2). - 22.04 LTS (jammy): Vulnerable (pending a standard repo update).
- 20.04 LTS (focal) and older: fixes available via ESM/Ubuntu Pro.
- 25.10 (questing): Fixed (
Note: valkey (Redis fork) is currently listed vulnerable on 24.04/25.04/25.10.
2) What to do now (priorities)
A) Apply the patch as soon as your Ubuntu release has it
- Check if an update is available:
sudo apt update apt list --upgradable | grep -i redis - Upgrade when Canonical publishes the fix for your release:
sudo apt update sudo apt install --only-upgrade redis-server sudo systemctl restart redis - Verify version:
redis-cli INFO server | grep -E 'redis_version|redis_git_sha1'
RunCloud: with Security Updates enabled (default), the patch will install automatically once available. Still, monitor the dashboard and
aptlogs.
B) Temporary mitigation (Ubuntu/RunCloud) — block Lua scripting via ACL
While you wait for the Ubuntu patch (notably on 22.04)—or if you can’t upgrade immediately—block EVAL and EVALSHA via ACL:
- Edit Redis config:
sudo nano /etc/redis/redis.conf - Append at the end (replace
yourpasswordwith your actual Redis password found in this file or RunCloud → Server Settings → Redis):user default on >yourpassword ~* &* +@all -eval -evalsha - Restart:
sudo systemctl restart redis - Verify ACL:
redis-cli AUTH yourpassword ACL LISTConfirm thedefaultuser does not haveeval/evalsha.
Direct test:
redis-cli -a yourpassword EVAL "return 1" 0
# Should fail with: (error) NOPERM this user has no permissions to run the 'eval' command...
Code language: PHP (php)Compatibility note (Redis 6.0.16 on Ubuntu 22.04)
If Redis fails to restart after adding &* in the ACL (reported with 6.0.16/jammy), use this variant:
user default on >yourpassword ~* +@all -@scripting +script
Code language: JavaScript (javascript)-@scriptingblocks all Lua script execution.+scriptre-enables safe SCRIPT management cmds (SCRIPT FLUSH,EXISTS, etc.).
Restart and re-verify.
No ACLs (very old Redis)?
If you’re on a vintage release without robust ACLs and cannot update today, you can neutralize commands by renaming (last resort):
rename-command EVAL ""
rename-command EVALSHA ""
Code language: PHP (php)Restart and confirm they’re gone.
Important: apply mitigation on all nodes (master/replicas, cluster, sentinel) and all instances that accept app/user connections.
3) Quick checklist (RunCloud / Ubuntu)
- Security Updates toggled On in RunCloud Dashboard.
- Check Redis version and Ubuntu release (
redis-cli INFO server,lsb_release -a). - On 22.04 (or any still-vulnerable release), apply the ACL above and restart.
- Validate with
redis-clithat EVAL/EVALSHA are blocked. - Monitor
aptuntil the patched package lands; upgrade, then only remove the mitigation after confirming a fixed version. - Docker users: rebuild images with Redis 8.2.2 or the patched Ubuntu package; or override
redis.confto apply the ACL until you can rebuild.
4) Detection & observability (recommended)
- Logs: watch for attempted
EVAL/EVALSHAafter the ACL is in place. - Alerting: add a health check that runs
ACL LISTand verifies-eval/-evalshaor-@scripting. - Exposure: ensure Redis isn’t publicly exposed (firewall,
bind 127.0.0.1 ::1as applicable,requirepass). - Scope: inventory all Redis instances (prod, staging, dev, containers) and apply the same control.
5) FAQ
Is blocking EVAL/EVALSHA enough?
As a temporary mitigation, yes—it removes the vulnerable vector. It does not replace the patch (Redis 8.2.2 / Ubuntu’s fixed packages). On Redis 6.0.16/22.04, use -@scripting +script if the previous ACL syntax breaks startup.
Will I lose functionality by blocking scripting?
Yes, any Lua-based features will fail. If your application depends on Lua, consider isolating that instance with minimal privileges and expedite upgrading to a patched version.
When can I remove the ACL mitigation?
After you’ve confirmed your instance runs a fixed version (Redis 8.2.2 or Ubuntu’s patched package) and you’ve validated any Lua dependencies.
I’m on Ubuntu 24.04/25.04/25.10: do I need to act?
If your system already received the patched package (see Ubuntu’s advisory), upgrade via apt and restart Redis. Still, it’s prudent to review Lua exposure.
6) Useful links
- Ubuntu CVE notice (CVE-2025-49844): https://ubuntu.com/security/CVE-2025-49844
- Redis security advisory / release 8.2.2 (GHSA / release notes)
- RunCloud — Dashboard: Server Settings → Security Updates and Redis.
Bottom line
CVE-2025-49844 is critical, easy to exploit in default configurations with Lua scripting enabled, and can lead to RCE. The good news: there’s an official fix (Redis 8.2.2) and a straightforward ACL mitigation. If you manage servers with RunCloud/Ubuntu, ensure Security Updates are enabled, apply the ACL today, and upgrade as soon as Canonical publishes the patched package for your release. Keep the mitigation in place until you’ve confirmed your Redis version is fixed.
