We're announcing the release of Memurai 4.1.7 and Memurai for Redis 4.2.1 to address critical security vulnerabilities recently discovered in Redis. We strongly urge all Memurai users to update to the latest version to ensure the security and integrity of their systems.

About Vulnerabilities

CVE-2025-49844, also known as "RediShell", is a remote code execution (RCE) vulnerability with a CVSS score of 10.0, the highest possible severity. The vulnerability allows an authenticated attacker to use a specially crafted Lua script to manipulate the garbage collector. This triggers a use-after-free condition, which can be exploited to escape the Lua sandbox and execute arbitrary code on the host, potentially leading to a full system compromise.

In addition to this critical vulnerability, three other vulnerabilities have also been addressed:

• CVE-2025-46817: A high-severity integer overflow vulnerability that could lead to remote code execution.
• CVE-2025-46818: A medium-severity vulnerability that could allow an authenticated user to execute Lua scripts in the context of another user, potentially leading to privilege escalation.
• CVE-2025-46819: A medium-severity vulnerability that could allow an authenticated user to read out-of-bounds data or crash the server, leading to a denial of service.

Memurai Security Update

We have released two new versions of Memurai:

• Memurai 4.1.7, which is on parity with Redis 7.2.11
• Memurai for Redis 4.2.1, which is on parity with Redis 7.4.6

These new versions contain the necessary patches to protect your instances from these vulnerabilities.

What You Need to Do

We urge all Memurai users to upgrade their instances to the latest appropriate version immediately. You can download the latest versions from our website.

Download the latest version of Memurai

Stay secure,

The Memurai Team