At a glance: Patched Redis images rolled out via PR #5443, covering 6.2.20, 7.2.11/7.4.6-alpine, and 8.2.2-alpine, all pinned to immutable digests for reliable, secure deployments.
Redis sits at the core of many modern apps—in BigBearCasaOS, it’s no exception. On October 3, 2025, the Redis team published an urgent security advisory regarding a critical remote code execution vulnerability tracked as CVE-2025-49844, also known as RediShell. This flaw affected every Redis instance supporting Lua scripting since 2012 and allowed attackers to escape the scripting sandbox, gaining direct access to the underlying server for potential data theft, sabotage, or further attacks.
Community response: thanks to Mosman
Immediate awareness in open-source communities is essential during major security events. The BigBearCommunity member Mosman was the first to notify me about this Redis vulnerability on October 3. That early signal enabled a rapid patch cycle—thank you, Mosman, for safeguarding the ecosystem!
What changed in BigBearCasaOS
With PR #5443 on GitHub, BigBearCasaOS upgraded every Redis used in its docker-compose files to patched, official versions:
- Redis 6.x images were bumped to 6.2.20 or the equivalent Alpine variant across apps like Nextcloud, Owncloud, pd3f, and Immich.
- Redis 7.x images now uniformly use at least 7.2.11 or 7.4.6-alpine depending on the application’s requirements.
- Redis 8.x moved to the latest minor release, 8.2.2-alpine, for maximum resilience and consistency.
- All images are now pinned with immutable SHA256 digests, locking deployments to exact patch levels and ensuring supply-chain stability.
No changes were made to functional logic or configuration outside the Redis tag update, guaranteeing backward compatibility while closing the exploit window.
Why it matters
CVE-2025-49844 carries a maximum-severity CVSS of 10.0 because successful exploitation can lead to full host compromise, credential theft, and lateral movement—especially risky in containerized and cloud environments. Even though exploitation requires authenticated access, the real-world risk rises when Redis is exposed to broader networks or misconfigured. Upgrading to patched versions is the most reliable way to eliminate this class of risk while improving deployment reproducibility.
Action steps for users
To stay protected:
- Update BigBearCasaOS to the latest release containing patched Redis images for all applications.
- If deploying custom services, verify that any Redis image/tag used matches or exceeds these patched versions.
- Practice good security hygiene: restrict Redis network access, enable authentication, and monitor service logs as additional layers of defense.
- Reboot your CasaOS to get the updates.
Optional verification tip:
- After updating, run
docker compose configto confirm the pinned digest is in effect, ordocker inspecton the running Redis container to validate the exact image digest.
Closing thanks
Open-source security relies on fast action and community vigilance. Thanks again to Mosman in the BigBearCommunity, whose timely tip helped shield countless users. And thanks to everyone who contributed, reviewed, and tested the Redis patch across BigBearCasaOS.
If there are questions or feedback, comment below.
If you’ve found value in BigBearCasaOS or any open source projects that I support, or want to support the thousands of hours invested, please consider subscribing on https://ko-fi.com/bigbeartechworld or YouTube!