Hi all,
We are using Redis Memorystore in GCP and came across CVE-2025-49844. Some context:
-
The vendor has provided fixes for this vulnerability across multiple OSS Redis versions, including 7.2.11+.
-
The latest version available / Recommended in GCP Memorystore is 7.2.4.
-
Since this is a managed Redis instance, some ACL-related commands are restricted, so we cannot manually apply the vendor fixes.
We have already:
-
Ensured AUTH is enabled and access is restricted to private VPCs.
-
Confirmed that no public exposure exists.
We are looking for:
-
Any workarounds or mitigation steps that can be applied while waiting for the patched version from GCP.
-
Confirmation on whether there is any timeline for the patched version to be released.
https://redis.io/blog/security-advisory-cve-2025-49844/
Thanks in advance for any guidance!
Regards
Thamarai