How to update Redis vulnerable version (#RediShell) ?
-
Description
Cloudron common redis image is vulnerable to critical vulnerability (CVE-2025-49844 - 10 CVSS)
Logs
Logs says it's version 7.4.2, fixed version is 7.4.6
Gitlab
Oct 08 12:06:24 13:C 08 Oct 2025 10:06:24.722 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo Oct 08 12:06:24 13:C 08 Oct 2025 10:06:24.722 * Redis version=7.4.2, bits=64, commit=00000000, modified=0, pid=13, just started Oct 08 12:06:24 13:C 08 Oct 2025 10:06:24.722 * Configuration loaded Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.722 * monotonic clock: POSIX clock_gettime Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.724 # Failed to write PID file: Permission denied Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.724 * Running mode=standalone, port=6379. Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.725 * Server initialized Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.725 * Loading RDB produced by version 7.4.2
Same with N8n:
Oct 08 12:19:46 13:C 08 Oct 2025 10:19:46.483 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo Oct 08 12:19:46 13:C 08 Oct 2025 10:19:46.483 * Redis version=7.4.2, bits=64, commit=00000000, modified=0, pid=13, just started Oct 08 12:19:46 13:C 08 Oct 2025 10:19:46.483 * Configuration loaded Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.483 * monotonic clock: POSIX clock_gettime Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.485 # Failed to write PID file: Permission denied Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.485 * Running mode=standalone, port=6379. Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.485 * Server initialized Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.486 * Loading RDB produced by version 7.4.2
And all other apps using redis, probably the same redis image is used
System Details
Cloudron Version
{ "version": "8.3.2" }
Ubuntu Version
No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04.2 LTS Release: 24.04 Codename: noble
Cloudron installation method
Manual with
./cloudron-setup
-
More info on the vulnerability at https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html
Given that redis on Cloudron isn't exposed to the public internet, only apps have access to it and also there via authentication, the risk seems very limited unless an app is compromised itself at which point the app itself can do more harm anyways. Also note that redis instances on Cloudron are per-app and thus well isolated.
We will still update it normally in time, probably with Cloudron 9 patch release.
-
More info on the vulnerability at https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html
Given that redis on Cloudron isn't exposed to the public internet, only apps have access to it and also there via authentication, the risk seems very limited unless an app is compromised itself at which point the app itself can do more harm anyways. Also note that redis instances on Cloudron are per-app and thus well isolated.
We will still update it normally in time, probably with Cloudron 9 patch release.
-
G girish has marked this topic as solved