RCE flaw in Redis let attackers escape Lua sandbox
Researchers Uncover 13-Year-Old Redis Flaw Impacting Nearly 330,000 Instances The bug, tracked as CVE-2025-49844 and nicknamed RediShell, carried a top severity score — 10.0 on the CVSS scale — and affected every Redis release. An attacker with the ability to submit a Lua script — a capability that Redis supports by default — could trigger…