Redis Has Had a CVSS 10 RCE for 13 Years

My take

Thirteen years. Every Redis instance running Lua scripts has been carrying this since 2012. This is what I mean when I say the problem isn't sophisticated attacks. We can't keep up with what's already broken in the software we depend on. Attackers now have AI to find these faster than we can patch them. And most organizations don't even know what's running in their environment, let alone whether it's patched.

Terminal

# check your redis version
$ redis-cli INFO server | grep redis_version
redis_version:7.0.15
# is lua scripting enabled?
$ redis-cli CONFIG GET lua-time-limit
1) "lua-time-limit"
2) "5000"
# if lua is enabled and you're below the patched version,
# you have a CVSS 10 RCE sitting in production right now
$ redis-cli CONFIG SET lua-time-limit 0  # disable as interim mitigation

You can't patch what you don't know about.

The real issue isn't that this bug existed for 13 years. It's that most organizations have no idea what versions of what software are running across their infrastructure. No asset inventory, no dependency tracking, no automated patching. A human set up Redis years ago and nobody looked at it again. That's not a Redis problem. That's a housekeeping problem.

AI makes vulnerability discovery faster for everyone.

Researchers are using AI to find bugs faster. So are attackers. The time between a CVE being published and an exploit being weaponized is shrinking. If your patching cadence is 'quarterly' or 'when someone remembers,' you're going to lose that race. Automated patching, asset inventory, and continuous vulnerability scanning aren't optional anymore. They're the bare minimum.