CVE-2025-49844 (RediShell) - Lab Environment
A practical lab environment for testing and understanding the critical CVE-2025-49844 (RediShell) vulnerability in Redis.
⚠️ WARNING
This is for educational purposes only!
- Only use on systems you own or have explicit permission to test
- Never expose to the internet
- Never use in production environments
About the Vulnerability
- CVE ID: CVE-2025-49844
- Name: RediShell
- CVSS Score: 10.0 (Critical)
- Type: Use-After-Free (UAF) in Lua Interpreter
- Impact: Remote Code Execution (RCE)
- Discovered by: Wiz Research Team
Vulnerable Versions
All Redis versions before:
- Redis 8.2.2
- Redis 8.0.4
- Redis 7.4.6
- Redis 7.2.11
This lab uses Redis 7.2.0 (vulnerable version).
Quick Start
Prerequisites
# Install Docker and Docker Compose sudo apt-get update sudo apt-get install docker.io docker-compose # Install Python dependencies pip install redis colorama
Setup and Run
# 1. Start vulnerable Redis instance docker-compose up -d # 2. Wait a few seconds for Redis to start sleep 5 # 3. Verify Redis is running docker-compose ps # 4. Run the exploit python3 exploit_poc.py -H localhost -p 6380 -m all
Usage
Basic Commands
# Check vulnerability only python3 exploit_poc.py -H localhost -p 6380 -m check # Run basic UAF test python3 exploit_poc.py -H localhost -p 6380 -m basic # Test sandbox escape python3 exploit_poc.py -H localhost -p 6380 -m sandbox # Test advanced memory corruption python3 exploit_poc.py -H localhost -p 6380 -m advanced # Run all tests python3 exploit_poc.py -H localhost -p 6380 -m all # With authentication python3 exploit_poc.py -H localhost -p 6380 -a "password" -m all
Docker Management
# View logs docker-compose logs -f # Connect to Redis CLI docker-compose exec redis-vulnerable redis-cli # Stop the lab docker-compose down # Remove everything (including volumes) docker-compose down -v
Expected Output
Successful Test (Vulnerable Version)
╔═══════════════════════════════════════════════════════════╗
║ CVE-2025-49844 (RediShell) PoC ║
║ Use-After-Free in Redis Lua Interpreter ║
║ CVSS Score: 10.0 (CRITICAL) ║
╚═══════════════════════════════════════════════════════════╝
[*] Testing connection to localhost:6380...
[+] Connected successfully!
[i] Redis Version: 7.2.0
[*] Checking if Lua scripting is enabled...
[+] Lua scripting is enabled!
[*] Checking vulnerability status...
[i] Detected Redis version: 7.2.0
[!] VULNERABLE: This version is affected by CVE-2025-49844
[!] Update to the latest patched version immediately!
[*] Attempting basic UAF trigger...
[+] Lua script executed: UAF pattern executed
[!] UAF pattern triggered (simplified demo)
[*] Testing Lua sandbox boundaries...
[*] Testing os.execute...
[+] Protected: os.execute blocked
[*] Testing io.popen...
[+] Protected: io.popen blocked
[*] Testing loadfile...
[+] Protected: loadfile blocked
[*] Testing package.loadlib...
[+] Protected: package.loadlib blocked
[*] Attempting memory corruption pattern...
[+] Memory corruption pattern executed: Memory corruption pattern completed
[!] In vulnerable versions, this could lead to RCE!
============================================================
[*] PoC execution completed
============================================================
How the Vulnerability Works
Attack Flow
- Connect to Redis (authenticated or unauthenticated)
- Send malicious Lua script via EVAL command
- Trigger Use-After-Free through garbage collection
- Escape Lua sandbox to access restricted functions
- Execute arbitrary native code outside the sandbox
- Gain full host access for data exfiltration, malware installation, etc.
Technical Details
The vulnerability exploits a 13-year-old Use-After-Free bug in Redis's Lua interpreter:
- Memory Corruption: Improper memory management during garbage collection
- Sandbox Escape: Bypass Lua sandbox restrictions
- Code Execution: Execute arbitrary system commands
- Full Compromise: Complete access to the host system
Security Recommendations
1. Update Immediately
# Pull latest patched version docker pull redis:8.2.2 # or docker pull redis:7.4.6
2. Secure Configuration
# /etc/redis/redis.conf
# Enable authentication
requirepass your_strong_password_here
# Restrict network access
bind 127.0.0.1 ::1
protected-mode yes
# Disable dangerous commands
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""
rename-command EVAL ""
rename-command EVALSHA ""
# Enable logging
loglevel notice
logfile /var/log/redis/redis-server.log
3. Use Redis ACL
# Disable Lua scripting for specific users redis-cli ACL SETUSER myuser -@scripting # Create limited user redis-cli ACL SETUSER limited on >password ~* +@read +@write -@scripting
4. Network Security
# Use firewall rules sudo ufw allow from 192.168.1.0/24 to any port 6379 sudo ufw deny 6379 # Or use iptables sudo iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 6379 -j DROP
Troubleshooting
Port Already in Use
# Check what's using the port sudo lsof -i :6380 # Or change port in docker-compose.yml # ports: # - "6381:6379"
Python Module Not Found
# Install required packages pip install redis colorama # Or use virtual environment python3 -m venv venv source venv/bin/activate pip install -r requirements.txt
Docker Permission Denied
# Add user to docker group sudo usermod -aG docker $USER # Then logout and login again
Redis Not Starting
# Check logs docker-compose logs # Restart container docker-compose restart # Rebuild image docker-compose up -d --build
Project Structure
redis_exploit/
├── Dockerfile # Redis 7.2.0 vulnerable instance
├── docker-compose.yml # Docker Compose configuration
├── exploit_poc.py # Main exploit script
├── requirements.txt # Python dependencies
├── .gitignore # Git ignore file
└── README.md # This file
References
Disclaimer
This PoC is simplified and for educational purposes only. The actual CVE-2025-49844 exploit involves complex memory manipulation. Always patch your Redis instances to the latest version!