<![CDATA[How to update Redis vulnerable version (#RediShell) ?]]>Description

Cloudron common redis image is vulnerable to critical vulnerability (CVE-2025-49844 - 10 CVSS)

Logs

Logs says it's version 7.4.2, fixed version is 7.4.6

Gitlab

Oct 08 12:06:24 13:C 08 Oct 2025 10:06:24.722 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
Oct 08 12:06:24 13:C 08 Oct 2025 10:06:24.722 * Redis version=7.4.2, bits=64, commit=00000000, modified=0, pid=13, just started
Oct 08 12:06:24 13:C 08 Oct 2025 10:06:24.722 * Configuration loaded
Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.722 * monotonic clock: POSIX clock_gettime
Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.724 # Failed to write PID file: Permission denied
Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.724 * Running mode=standalone, port=6379.
Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.725 * Server initialized
Oct 08 12:06:24 13:M 08 Oct 2025 10:06:24.725 * Loading RDB produced by version 7.4.2

Same with N8n:

Oct 08 12:19:46 13:C 08 Oct 2025 10:19:46.483 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
Oct 08 12:19:46 13:C 08 Oct 2025 10:19:46.483 * Redis version=7.4.2, bits=64, commit=00000000, modified=0, pid=13, just started
Oct 08 12:19:46 13:C 08 Oct 2025 10:19:46.483 * Configuration loaded
Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.483 * monotonic clock: POSIX clock_gettime
Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.485 # Failed to write PID file: Permission denied
Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.485 * Running mode=standalone, port=6379.
Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.485 * Server initialized
Oct 08 12:19:46 13:M 08 Oct 2025 10:19:46.486 * Loading RDB produced by version 7.4.2

And all other apps using redis, probably the same redis image is used

System Details

Cloudron Version

{
  "version": "8.3.2"
}

Ubuntu Version

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 24.04.2 LTS
Release:	24.04
Codename:	noble

Cloudron installation method

Manual with ./cloudron-setup

]]>https://forum.cloudron.io/topic/14379/how-to-update-redis-vulnerable-version-redishellRSS for NodeWed, 10 Jun 2026 19:20:07 GMTWed, 08 Oct 2025 10:36:47 GMT60<![CDATA[Reply to How to update Redis vulnerable version (#RediShell) ? on Thu, 09 Oct 2025 12:36:44 GMT]]>I updated redis to 8.2.2 - https://git.cloudron.io/platform/box/-/commit/3547be34010a737d9fbd5aed5bb9e787eeff5456

]]>https://forum.cloudron.io/post/113579https://forum.cloudron.io/post/113579Thu, 09 Oct 2025 12:36:44 GMT<![CDATA[Reply to How to update Redis vulnerable version (#RediShell) ? on Thu, 09 Oct 2025 03:35:29 GMT]]>@nebulon Will you be looking at better alternatives as suggested previously on the forum?

]]>https://forum.cloudron.io/post/113560https://forum.cloudron.io/post/113560Thu, 09 Oct 2025 03:35:29 GMT<![CDATA[Reply to How to update Redis vulnerable version (#RediShell) ? on Wed, 08 Oct 2025 12:50:49 GMT]]>More info on the vulnerability at https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html

Given that redis on Cloudron isn't exposed to the public internet, only apps have access to it and also there via authentication, the risk seems very limited unless an app is compromised itself at which point the app itself can do more harm anyways. Also note that redis instances on Cloudron are per-app and thus well isolated.

We will still update it normally in time, probably with Cloudron 9 patch release.

]]>https://forum.cloudron.io/post/113553https://forum.cloudron.io/post/113553Wed, 08 Oct 2025 12:50:49 GMT