![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 23%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Azure Cache for Redis
An Azure service that provides access to a secure, dedicated Redis cache, managed by Microsoft.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 72%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hi Andre Lucci,
Welcome to the Microsoft Q&A.
Yes, CVE-2025-49844 is a critical Redis Lua vulnerability. Because Azure Cache for Redis is based on upstream Redis, you should treat your cache as affected until the platform has applied patched builds. The flaw allows an authenticated client to run a crafted Lua script that triggers a use-after-free and can lead to remote code execution.
Azure Cache for Redis is a managed service; customers don’t install Redis patches themselves. Fixes are rolled out by Microsoft during maintenance/scheduled update windows.
Recommended hardening while the patch propagates:
- Keep the cache private (Private Endpoint or tight firewall rules) and require TLS.
- Rotate access keys and avoid exposing them in pipelines.
- If you don’t need Lua, block EVAL/EVALSHA for non-admin users (ACLs) and monitor for scripting activity.
These steps align with guidance to restrict access and, as a workaround, disable Lua scripting.