heise PlusAbo
Anzeige

Redis: Critical code smuggling gap in database

The developers of the Redis database have released an updated version that plugs a critical security hole.

listen Print view
Luminous warning triangle on blue background

(Image: Sashkin/Shutterstock.com)

2 min. read
Security
By

The developers have closed four security gaps in the Redis database with an updated software version. One of them reaches the maximum risk rating with a CVSS value of 10. IT managers should update their installations to the new version immediately.

The Redis project lists the four vulnerabilities in the release notes for version 8.2.2. Registered users can manipulate the garbage collector with specially prepared LUA scripts, provoke a use-after-free situation and thus execute malicious code from the network (CVE-2025-49844 / EUVD-2025-32326, CVSS 10, risk "critical"). In addition, such LUA scripts can provoke an integer overflow, which also allows the execution of code injected from the Internet (CVE-2025-46817 / EUVD-2025-32363, CVSS 7.0, risk "high").

The other vulnerabilities are less serious. Prepared LUA scripts can gain read access outside designated memory areas or cause the server to crash and thus cause a denial of service (CVE-2025-46819 / EUVD-2025-32327, CVSS 6.3, risk "medium"). In addition, LUA scripts can manipulate other LUA objects and thus execute their own code in the context of other users (CVE-2025-46818 / EUVD-2025-32328, CVSS 6, risk "medium").

Videos by heise

Install a bug-fixed version of Redis

The IT security researchers at Wiz have also made a detailed analysis of the most serious vulnerabilities available. As at least one of the vulnerabilities is considered critical, admins should immediately update their Redis instances to the latest version 8.2.2 or newer. The latest version of the open-source software is available in source code on Github.

The Linux distributions should provide updated packages shortly so that the software administration of the distribution used can deliver the updates. [Link auf https://access.redhat.com/security/cve/cve-2025-49844]Due to the lack of an updated package, Redhat currently recommends restricting access to the server to trusted machines, for example. At the Pwn2Own event in Berlin, for example, IT security researchers identified and demonstrated security vulnerabilities in Redis.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten