Spring Data Redis Exposure to Redis Lua Parser Use-After-Free (CVE-2025-49844)

The disclosure of CVE-2025-49844, a critical vulnerability in the Redis Lua script parser, has placed many organizations on alert. This issue can lead to remote code execution (RCE) under certain conditions. In most deployments, Redis is protected behind a firewall and used primarily by web applications for caching. However, organizations leveraging Spring Data Redis may be wondering: what is our exposure?

‍

Overview of the Vulnerability

CVE-2025-49844 arises from a Use-After-Free condition in the Redis Lua parser. A Use-After-Free condition arises when a program references memory that has already been deallocated, which can lead to undefined behavior, including arbitrary code execution or system compromise. Exploitation may allow an attacker to execute arbitrary code on the underlying system. While a public proof-of-concept (PoC) has not yet been published, similar attack mechanisms are publicly available. This is not a vulnerability in Spring Data Redis itself, but because Spring Data Redis can execute Lua scripts through Redis, applications that use this feature may be indirectly exposed if their Redis instance is vulnerable.

‍

Recommended Remediation

We recommend following the remediation guidance provided in the official vulnerability database:

• Upgrade Redis to version 8.2.2 or later, which includes a fix for this vulnerability.
  
  
• Apply access control lists (ACLs) to restrict the use of the EVAL and EVALSHA commands.
  
  

For additional details, refer to the Redis security advisory here. 

‍

Spring Data Redis Context

Spring Data Redis provides tight integration between Redis and the Spring Framework, simplifying data access and caching within Spring applications. At its core, it uses the RedisTemplate API to perform operations against Redis, leveraging a low-level driver such as Lettuce or Jedis depending on configuration.

The potential exposure arises when RedisTemplate executes Lua scripts through the RedisScript interface. Applications that do not use Lua scripting are not affected by this vulnerability.

‍

Assessing Exposure

To determine whether your application is at risk, review your codebase for any usage of RedisScript. The script is executed on Redis via the RedisTemplate execute function here or here.

• If your application executes user-supplied scripts, it is highly vulnerable and should be remediated immediately. This would be a very unusual configuration.
  
  
• If your application only runs internally authored scripts, ensure these scripts do not accept user input and invoke collectgarbage(‘collect’), as this command contributes to the conditions necessary for exploitation.
  
  

Even in Lua scripts where the collectgarbage command is used, successful exploitation is not guaranteed but the risk remains nonetheless. Remote code execution requires precise heap manipulation but data corruption and crashes can happen from Use-After-Free.

‍

Risk Evaluation

For most Spring applications using Spring Data Redis in conjunction with a firewalled Redis instance and no Lua scripting, the risk of exploitation is negligible. Nevertheless, given the critical severity of CVE-2025-49844, we strongly advise prompt remediation of Redis instances to minimize potential exposure especially if your application uses Lua scripts.

If your application doesn’t use Lua scripts, you can disable EVAL and EVALSHA on Redis via the redis.conf using rename-command EVAL "" and rename-command EVALSHA "". You can also use ACL to disable application users from using scripts using redis-cli to run ACL SETUSER <username> -@scripting.