A practical lab environment for testing and understanding the critical CVE-2025-49844 (RediShell) vulnerability in Redis.
This is for educational purposes only!
- Only use on systems you own or have explicit permission to test
- Never expose to the internet
- Never use in production environments
- CVE ID: CVE-2025-49844
- Name: RediShell
- CVSS Score: 10.0 (Critical)
- Type: Use-After-Free (UAF) in Lua Interpreter
- Impact: Remote Code Execution (RCE)
- Discovered by: Wiz Research Team
All Redis versions before:
- Redis 8.2.2
- Redis 8.0.4
- Redis 7.4.6
- Redis 7.2.11
This lab uses Redis 7.2.0 (vulnerable version).
# Install Docker and Docker Compose
sudo apt-get update
sudo apt-get install docker.io docker-compose
# Install Python dependencies
pip install redis colorama# 1. Start vulnerable Redis instance
docker-compose up -d
# 2. Wait a few seconds for Redis to start
sleep 5
# 3. Verify Redis is running
docker-compose ps
# 4. Run the exploit
python3 exploit_poc.py -H localhost -p 6380 -m all# Check vulnerability only
python3 exploit_poc.py -H localhost -p 6380 -m check
# Run basic UAF test
python3 exploit_poc.py -H localhost -p 6380 -m basic
# Test sandbox escape
python3 exploit_poc.py -H localhost -p 6380 -m sandbox
# Test advanced memory corruption
python3 exploit_poc.py -H localhost -p 6380 -m advanced
# Run all tests
python3 exploit_poc.py -H localhost -p 6380 -m all
# With authentication
python3 exploit_poc.py -H localhost -p 6380 -a "password" -m all# View logs
docker-compose logs -f
# Connect to Redis CLI
docker-compose exec redis-vulnerable redis-cli
# Stop the lab
docker-compose down
# Remove everything (including volumes)
docker-compose down -v╔═══════════════════════════════════════════════════════════╗
║ CVE-2025-49844 (RediShell) PoC ║
║ Use-After-Free in Redis Lua Interpreter ║
║ CVSS Score: 10.0 (CRITICAL) ║
╚═══════════════════════════════════════════════════════════╝
[*] Testing connection to localhost:6380...
[+] Connected successfully!
[i] Redis Version: 7.2.0
[*] Checking if Lua scripting is enabled...
[+] Lua scripting is enabled!
[*] Checking vulnerability status...
[i] Detected Redis version: 7.2.0
[!] VULNERABLE: This version is affected by CVE-2025-49844
[!] Update to the latest patched version immediately!
[*] Attempting basic UAF trigger...
[+] Lua script executed: UAF pattern executed
[!] UAF pattern triggered (simplified demo)
[*] Testing Lua sandbox boundaries...
[*] Testing os.execute...
[+] Protected: os.execute blocked
[*] Testing io.popen...
[+] Protected: io.popen blocked
[*] Testing loadfile...
[+] Protected: loadfile blocked
[*] Testing package.loadlib...
[+] Protected: package.loadlib blocked
[*] Attempting memory corruption pattern...
[+] Memory corruption pattern executed: Memory corruption pattern completed
[!] In vulnerable versions, this could lead to RCE!
============================================================
[*] PoC execution completed
============================================================
- Connect to Redis (authenticated or unauthenticated)
- Send malicious Lua script via EVAL command
- Trigger Use-After-Free through garbage collection
- Escape Lua sandbox to access restricted functions
- Execute arbitrary native code outside the sandbox
- Gain full host access for data exfiltration, malware installation, etc.
The vulnerability exploits a 13-year-old Use-After-Free bug in Redis's Lua interpreter:
- Memory Corruption: Improper memory management during garbage collection
- Sandbox Escape: Bypass Lua sandbox restrictions
- Code Execution: Execute arbitrary system commands
- Full Compromise: Complete access to the host system
# Pull latest patched version
docker pull redis:8.2.2
# or
docker pull redis:7.4.6# /etc/redis/redis.conf
# Enable authentication
requirepass your_strong_password_here
# Restrict network access
bind 127.0.0.1 ::1
protected-mode yes
# Disable dangerous commands
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""
rename-command EVAL ""
rename-command EVALSHA ""
# Enable logging
loglevel notice
logfile /var/log/redis/redis-server.log
# Disable Lua scripting for specific users
redis-cli ACL SETUSER myuser -@scripting
# Create limited user
redis-cli ACL SETUSER limited on >password ~* +@read +@write -@scripting# Use firewall rules
sudo ufw allow from 192.168.1.0/24 to any port 6379
sudo ufw deny 6379
# Or use iptables
sudo iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP# Check what's using the port
sudo lsof -i :6380
# Or change port in docker-compose.yml
# ports:
# - "6381:6379"# Install required packages
pip install redis colorama
# Or use virtual environment
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt# Add user to docker group
sudo usermod -aG docker $USER
# Then logout and login again# Check logs
docker-compose logs
# Restart container
docker-compose restart
# Rebuild image
docker-compose up -d --buildredis_exploit/
├── Dockerfile # Redis 7.2.0 vulnerable instance
├── docker-compose.yml # Docker Compose configuration
├── exploit_poc.py # Main exploit script
├── requirements.txt # Python dependencies
├── .gitignore # Git ignore file
└── README.md # This file
This PoC is simplified and for educational purposes only. The actual CVE-2025-49844 exploit involves complex memory manipulation. Always patch your Redis instances to the latest version!