A major vulnerability (CVE-2025-49844) has been reported in Redis, a widely used in-memory data structure store, deployed on our Database-as-a-Service (DBaaS) platform.

The vulnerability allows an authenticated user to exploit a use-after-free memory corruption bug within Redis’s embedded Lua interpreter. A specially crafted Lua script can escape the Lua sandbox and execute arbitrary code on the Redis host. The vulnerability was originally evaluated with a CVSS v4.0 base score of 10.0, but Scalingo re-evaluated it to 7.4 due to required authentication and Scalingo’s security controls.

Incident analysis

Disclosed by Redis, the vulnerability (nicknamed RediShell) affects all Redis versions supporting Lua scripting since its introduction over 13 years ago.

Redis assigned it the identifier CVE-2025-49844 and published patched versions on October 3, 2025.

The following versions are affected by this vulnerability:

• All versions prior to 6.2.20
• Versions 7.0.0 through 7.2.10

While the issue technically enables remote code execution, exploitation requires authenticated access and the ability to execute Lua scripts. Therefore, the practical risk depends on configuration and exposure: internet-exposed or unauthenticated Redis instances are at highest risk.

Note: Redis versions 7.4+ use a different license (RSALv2 + SSPLv1) that prevents Scalingo from distributing them. Scalingo’s managed Redis service remains on the Redis 7.2 branch.

Remediation: what we did

Scalingo took the following actions after Redis’s disclosure:

• Built and tested the patched Redis releases: 6.2.20 and 7.2.11.

• Patched Scalingo’s internal systems that use Redis.

• Made the patched versions available for:

  • All newly provisioned Redis databases
  • Manual upgrade by customers via the Scalingo Dashboard or CLI.

• Scheduled automatic upgrades for all customer Redis databases over the next 3 weeks. (For all databases running v6 and v7, they’ll be updated in less than a week):

  • Redis 4 to Redis 5 (latest)
  • Redis 5 to Redis 6 (latest)
  • Redis 6 to Redis 6 (latest)
  • Redis 7 to Redis 7 (latest)

Impact

Redis databases on Scalingo are:

• Always executed in isolated Linux containers;

• Protected by strong, randomly generated passwords;
• Not exposed to the internet unless explicitly configured by the user.

Because the exploit requires authenticated access, the likelihood of exploitation on Scalingo is very low.

Even in a hypothetical successful attack, the impact would be limited to the Redis container scope—there is no path to escape the container or access other customer data.

What you should do

No immediate action required for customers using managed Redis add-ons. Automatic upgrades to patched versions are scheduled over the next 3 weeks to ensure all instances are protected.

Ensure that internet access for your Redis instances is only enabled if absolutely necessary. This feature is disabled by default and can be controlled via the Scalingo Dashboard or CLI.

What we will do in the future

Scalingo will:

• Continue monitoring Redis security advisories and applying security updates promptly.

• Continue to strengthen automated vulnerability monitoring to increase detection capabilities.

Product Impacts

Scalingo PaaS

No impact on the application platform layer.

Scalingo DBaaS Add-ons

All Redis add-ons are being upgraded to patched versions (6.2.20 for Redis 6.x and 7.2.11 for Redis 7.x) over the next 3 weeks. No other managed database services (PostgreSQL, MySQL, MongoDB, Elasticsearch, OpenSearch, InfluxDB) are affected.

Other Scalingo Add-ons and Services

No other add-ons or services are impacted.

Contact

If you have any questions or require further assistance, please contact our support team. We remain committed to ensuring the security of our platform and the protection of our users’ data.

Timeline

Changelog

2025-10-08: Initial publication of SSB-2025-001