CVE-2025-49844 - Redis/Valkey - Lua Use-After-Free Vulnerability

On October 3rd, 2025, Redis released details on CVE-2025-49844.

This particular vulnerability could allow an authenticated user to obtain remote code execution using a specially crafted Lua script.

This affects all Redis and Valkey versions that have Lua scripting support.

This issue is resolved in:

• Redis: 8.2.2+, 8.04+, 7.4.6+, 7.2.11+, 6.2.20+
• Valkey: 8.1.4+, 8.0.6+, 7.2.11+

On October 8th Valkey 8.0.6 was made available as mandatory maintenance on the Aiven platform. It is recommended that all Valkey customers run this maintenance as soon as possible.

For those customers running Redis (Aiven for Caching) on the Aiven platform, a patch to 7.2.11 will be released in the coming days. Note that Aiven for Caching is end-of-life on the Aiven platform and all running instances will be decommissioned starting on October 15th, 2025.