UBUNTU-CVE-2025-49844
- Source
- https://ubuntu.com/security/CVE-2025-49844
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-49844.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-49844
- Upstream
- Downstream
- Related
- Published
- 2025-10-03T20:15:00Z
- Modified
- 2025-10-21T05:23:00Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Ubuntu - high
- Summary
- [none]
- Details
-
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
- References
-
- https://ubuntu.com/security/CVE-2025-49844
- https://www.cve.org/CVERecord?id=CVE-2025-49844
- https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q
- https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539
- https://github.com/valkey-io/valkey/commit/6dd003e88feace83e55491f32376f6927896e31e
- https://github.com/redis/redis/releases/tag/8.2.2
- https://ubuntu.com/security/notices/USN-7824-1
- https://ubuntu.com/security/notices/USN-7824-2
- https://ubuntu.com/security/notices/USN-7824-3
Affected packages
Ubuntu:22.04:LTS
redis
Package
- Name
- redis
- Purl
- pkg:deb/ubuntu/redis@5:6.0.16-1ubuntu1.1?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5:6.0.16-1ubuntu1.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "5:6.0.16-1ubuntu1.1",
"binary_name": "redis"
},
{
"binary_version": "5:6.0.16-1ubuntu1.1",
"binary_name": "redis-sentinel"
},
{
"binary_version": "5:6.0.16-1ubuntu1.1",
"binary_name": "redis-server"
},
{
"binary_version": "5:6.0.16-1ubuntu1.1",
"binary_name": "redis-tools"
}
],
"availability": "No subscription required",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}Ubuntu:24.04:LTS
redis
Package
- Name
- redis
- Purl
- pkg:deb/ubuntu/redis@5:7.0.15-1ubuntu0.24.04.2?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5:7.0.15-1ubuntu0.24.04.2
Affected versions
5:7.*
5:7.0.12-1
5:7.0.14-1
5:7.0.14-2
5:7.0.15-1
5:7.0.15-1build1
5:7.0.15-1build2
5:7.0.15-1ubuntu0.24.04.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "5:7.0.15-1ubuntu0.24.04.2",
"binary_name": "redis"
},
{
"binary_version": "5:7.0.15-1ubuntu0.24.04.2",
"binary_name": "redis-sentinel"
},
{
"binary_version": "5:7.0.15-1ubuntu0.24.04.2",
"binary_name": "redis-server"
},
{
"binary_version": "5:7.0.15-1ubuntu0.24.04.2",
"binary_name": "redis-tools"
}
],
"availability": "No subscription required",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}valkey
Package
- Name
- valkey
- Purl
- pkg:deb/ubuntu/valkey@7.2.10+dfsg1-0ubuntu0.1?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
7.*
7.2.5+dfsg1-2ubuntu4~24.04.1
7.2.7+dfsg1-0ubuntu0.24.04.1
7.2.8+dfsg1-0ubuntu0.24.04.1
7.2.8+dfsg1-0ubuntu0.24.04.2
7.2.8+dfsg1-0ubuntu0.24.04.3
7.2.10+dfsg1-0ubuntu0.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "7.2.10+dfsg1-0ubuntu0.1",
"binary_name": "valkey-redis-compat"
},
{
"binary_version": "7.2.10+dfsg1-0ubuntu0.1",
"binary_name": "valkey-sentinel"
},
{
"binary_version": "7.2.10+dfsg1-0ubuntu0.1",
"binary_name": "valkey-server"
},
{
"binary_version": "7.2.10+dfsg1-0ubuntu0.1",
"binary_name": "valkey-tools"
}
],
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}Ubuntu:25.04
redict
Package
- Name
- redict
- Purl
- pkg:deb/ubuntu/redict@7.3.2+ds-1ubuntu0.1?arch=source&distro=plucky
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.3.2+ds-1ubuntu0.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "7.3.2+ds-1ubuntu0.1",
"binary_name": "redict"
},
{
"binary_version": "7.3.2+ds-1ubuntu0.1",
"binary_name": "redict-sentinel"
},
{
"binary_version": "7.3.2+ds-1ubuntu0.1",
"binary_name": "redict-server"
},
{
"binary_version": "7.3.2+ds-1ubuntu0.1",
"binary_name": "redict-tools"
}
],
"availability": "No subscription required",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}redis
Package
- Name
- redis
- Purl
- pkg:deb/ubuntu/redis@5:7.0.15-3ubuntu0.1?arch=source&distro=plucky
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5:7.0.15-3ubuntu0.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "5:7.0.15-3ubuntu0.1",
"binary_name": "redis"
},
{
"binary_version": "5:7.0.15-3ubuntu0.1",
"binary_name": "redis-sentinel"
},
{
"binary_version": "5:7.0.15-3ubuntu0.1",
"binary_name": "redis-server"
},
{
"binary_version": "5:7.0.15-3ubuntu0.1",
"binary_name": "redis-tools"
}
],
"availability": "No subscription required",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}valkey
Package
- Name
- valkey
- Purl
- pkg:deb/ubuntu/valkey@8.0.4+dfsg1-0ubuntu0.1?arch=source&distro=plucky
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
7.*
7.2.5+dfsg1-2ubuntu4
8.*
8.0.1+dfsg1-1ubuntu1
8.0.2+dfsg1-1ubuntu1
8.0.2+dfsg1-1ubuntu2
8.0.4+dfsg1-0ubuntu0.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "8.0.4+dfsg1-0ubuntu0.1",
"binary_name": "valkey-redis-compat"
},
{
"binary_version": "8.0.4+dfsg1-0ubuntu0.1",
"binary_name": "valkey-sentinel"
},
{
"binary_version": "8.0.4+dfsg1-0ubuntu0.1",
"binary_name": "valkey-server"
},
{
"binary_version": "8.0.4+dfsg1-0ubuntu0.1",
"binary_name": "valkey-tools"
}
],
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}Ubuntu:25.10
redict
Package
- Name
- redict
- Purl
- pkg:deb/ubuntu/redict@7.3.5+ds-1ubuntu0.1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.3.5+ds-1ubuntu0.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "7.3.5+ds-1ubuntu0.1",
"binary_name": "redict"
},
{
"binary_version": "7.3.5+ds-1ubuntu0.1",
"binary_name": "redict-sentinel"
},
{
"binary_version": "7.3.5+ds-1ubuntu0.1",
"binary_name": "redict-server"
},
{
"binary_version": "7.3.5+ds-1ubuntu0.1",
"binary_name": "redict-tools"
}
],
"availability": "No subscription required",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}redis
Package
- Name
- redis
- Purl
- pkg:deb/ubuntu/redis@5:8.0.2-3ubuntu0.25.10.1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5:8.0.2-3ubuntu0.25.10.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "5:8.0.2-3ubuntu0.25.10.1",
"binary_name": "redis"
},
{
"binary_version": "5:8.0.2-3ubuntu0.25.10.1",
"binary_name": "redis-sentinel"
},
{
"binary_version": "5:8.0.2-3ubuntu0.25.10.1",
"binary_name": "redis-server"
},
{
"binary_version": "5:8.0.2-3ubuntu0.25.10.1",
"binary_name": "redis-tools"
}
],
"availability": "No subscription required",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}valkey
Package
- Name
- valkey
- Purl
- pkg:deb/ubuntu/valkey@8.1.3+dfsg1-0ubuntu2?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
8.*
8.0.2+dfsg1-1ubuntu1
8.1.1+dfsg1-2ubuntu1
8.1.3+dfsg1-0ubuntu1
8.1.3+dfsg1-0ubuntu2
Ecosystem specific
{
"binaries": [
{
"binary_version": "8.1.3+dfsg1-0ubuntu2",
"binary_name": "valkey-sentinel"
},
{
"binary_version": "8.1.3+dfsg1-0ubuntu2",
"binary_name": "valkey-server"
},
{
"binary_version": "8.1.3+dfsg1-0ubuntu2",
"binary_name": "valkey-tools"
}
],
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}Ubuntu:Pro:14.04:LTS
redis
Package
- Name
- redis
- Purl
- pkg:deb/ubuntu/redis@2:2.8.4-2ubuntu0.2+esm5?arch=source&distro=esm-infra-legacy/trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2:2.8.4-2ubuntu0.2+esm5
Affected versions
2:2.*
2:2.6.13-1
2:2.6.16-3
2:2.8.0-1
2:2.8.2-1
2:2.8.4-2
2:2.8.4-2ubuntu0.2
2:2.8.4-2ubuntu0.2+esm1
2:2.8.4-2ubuntu0.2+esm2
2:2.8.4-2ubuntu0.2+esm3
2:2.8.4-2ubuntu0.2+esm4
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:2.8.4-2ubuntu0.2+esm5",
"binary_name": "redis-server"
},
{
"binary_version": "2:2.8.4-2ubuntu0.2+esm5",
"binary_name": "redis-tools"
}
],
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}Ubuntu:Pro:16.04:LTS
redis
Package
- Name
- redis
- Purl
- pkg:deb/ubuntu/redis@2:3.0.6-1ubuntu0.4+esm4?arch=source&distro=esm-apps/xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2:3.0.6-1ubuntu0.4+esm4
Affected versions
2:3.*
2:3.0.3-3
2:3.0.5-1
2:3.0.5-2
2:3.0.5-3
2:3.0.5-4
2:3.0.6-1
2:3.0.6-1ubuntu0.2
2:3.0.6-1ubuntu0.3
2:3.0.6-1ubuntu0.4
2:3.0.6-1ubuntu0.4+esm1
2:3.0.6-1ubuntu0.4+esm2
2:3.0.6-1ubuntu0.4+esm3
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:3.0.6-1ubuntu0.4+esm4",
"binary_name": "redis-sentinel"
},
{
"binary_version": "2:3.0.6-1ubuntu0.4+esm4",
"binary_name": "redis-server"
},
{
"binary_version": "2:3.0.6-1ubuntu0.4+esm4",
"binary_name": "redis-tools"
}
],
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}Ubuntu:Pro:18.04:LTS
redis
Package
- Name
- redis
- Purl
- pkg:deb/ubuntu/redis@5:4.0.9-1ubuntu0.2+esm6?arch=source&distro=esm-apps/bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5:4.0.9-1ubuntu0.2+esm6
Affected versions
4:4.*
4:4.0.1-7
4:4.0.2-6
4:4.0.2-9
5:4.*
5:4.0.5-1
5:4.0.6-1
5:4.0.6-2
5:4.0.7-1
5:4.0.8-1
5:4.0.8-2
5:4.0.9-1
5:4.0.9-1ubuntu0.1
5:4.0.9-1ubuntu0.2
5:4.0.9-1ubuntu0.2+esm2
5:4.0.9-1ubuntu0.2+esm3
5:4.0.9-1ubuntu0.2+esm4
5:4.0.9-1ubuntu0.2+esm5
Ecosystem specific
{
"binaries": [
{
"binary_version": "5:4.0.9-1ubuntu0.2+esm6",
"binary_name": "redis"
},
{
"binary_version": "5:4.0.9-1ubuntu0.2+esm6",
"binary_name": "redis-sentinel"
},
{
"binary_version": "5:4.0.9-1ubuntu0.2+esm6",
"binary_name": "redis-server"
},
{
"binary_version": "5:4.0.9-1ubuntu0.2+esm6",
"binary_name": "redis-tools"
}
],
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}Ubuntu:Pro:20.04:LTS
redis
Package
- Name
- redis
- Purl
- pkg:deb/ubuntu/redis@5:5.0.7-2ubuntu0.1+esm4?arch=source&distro=esm-apps/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5:5.0.7-2ubuntu0.1+esm4
Affected versions
5:5.*
5:5.0.5-2build1
5:5.0.6-1
5:5.0.7-1
5:5.0.7-2
5:5.0.7-2ubuntu0.1~esm1
5:5.0.7-2ubuntu0.1
5:5.0.7-2ubuntu0.1+esm1
5:5.0.7-2ubuntu0.1+esm2
5:5.0.7-2ubuntu0.1+esm3
Ecosystem specific
{
"binaries": [
{
"binary_version": "5:5.0.7-2ubuntu0.1+esm4",
"binary_name": "redis"
},
{
"binary_version": "5:5.0.7-2ubuntu0.1+esm4",
"binary_name": "redis-sentinel"
},
{
"binary_version": "5:5.0.7-2ubuntu0.1+esm4",
"binary_name": "redis-server"
},
{
"binary_version": "5:5.0.7-2ubuntu0.1+esm4",
"binary_name": "redis-tools"
}
],
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"priority_reason": "This CVE is likely easy to exploit in the default configuration"
}