Redis has issued a security advisory for CVE-2025-49844, a serious use-after-free vulnerability in its Lua scripting feature. With a CVSS score of 10.0, this flaw allows authenticated attackers to execute remote code on older Redis and Valkey versions where Lua scripting is enabled. To mitigate risks, developers must upgrade to specific patched releases immediately. The vulnerability exploits a 13-year-old memory corruption bug, enabling attackers to break out of the Lua sandbox, gain full access to the host, and potentially steal or manipulate data. Wiz researchers discovered that around 330,000 Redis instances are exposed to the internet, with over 60,000 lacking authentication. This presents a significant risk, especially since Redis is widely used in cloud environments, with an estimated 75% adoption rate. Attackers can craft Lua scripts to exploit the vulnerability, establishing a reverse shell for persistent access, which can lead to data exfiltration or malware installation. Riaz Lakhani, CISO at Redis, emphasizes the importance of strong authentication and limiting permissions to trusted identities. Experts like Allen Helton and Khawaja Shams highlight that even after patching, Redis instances without authentication remain vulnerable to unauthorized access within private networks. They stress the need for basic security measures, such as password protection on Valkey nodes. Additionally, Matthias Endler notes the challenge of finding such critical bugs in C, pointing out the inherent risks of memory-safety issues that can remain hidden for years. Developers are advised to update to specific versions to address the vulnerability, with Valkey also releasing patches for affected versions.