CVE-2025-49844
CVE Details
Visit the official vulnerability details page for CVE-2025-49844 to learn more.
Initial Publication
11/14/2025
Last Update
01/05/2026
Third Party Dependency
redis
NIST CVE Summary
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
CVE Severity
Our Official Summary
CVE-2025-49844 is a critical use-after-free (UAF) vulnerability in Redis, an open-source, in-memory data store widely used for caching and fast data access. The flaw exists in the Lua scripting engine integrated into Redis, and if exploited can allow remote code execution (RCE) on the host running the Redis process.
There issue is reported on harbor registry pack if used within the kubernetes cluster. Exploitation of this issue would require access to the container and execution of code on the container. Container has safeguards in place to prevent code execution.
There is no upstream fix available to fix this vulnerability. Once available, it will be adopted.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.8.13 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.7.29 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 01/05/2026 | Status changed from Open to Ongoing |
| 01/05/2026 | Official summary added |