CVSS 10.0 in Redis because of a bug in Lua. Truly beautiful.

https://redis.io/blog/security-advisory-cve-2025-49844/
https://redrays.io/blog/poc-for-cve-2025-49844-cve-2025-46817-and-cve-2025-46818-critical-lua-engine-vulnerabilities

🏫 MY COURSES
Sign-up for my FREE 3-Day C Course: https://lowlevel.academy

🧙‍♂️ HACK YOUR CAREER
Wanna learn to hack? Join my new CTF platform: https://stacksmash.io

🔥COME HANG OUT   
Check out my other stuff: https://lowlevel.tv

Low Level Learning

A critical CVSS 10.0 vulnerability in Redis involves a use-after-free bug in its custom Lua interpreter implementation. The flaw occurs when the garbage collector fails to properly track T-string objects, allowing freed memory to be reused while still accessible, potentially leading to type confusion and remote code execution. The vulnerability requires authentication to exploit and demonstrates how even garbage-collected languages can have memory safety issues in their runtime implementations.

it doesn't get worse than this (CVSS 10.0)