Is Azure Cache for Redis Affected by CVE-2025-28173?

Redis is one of the most widely used in-memory data stores, powering countless applications, including Azure Cache for Redis. In October 2025, a new vulnerability called Redis Sandpiper (CVE-2025-28173) raised concerns across cloud environments.

If your Redis version is 6.0 or older, you may be wondering whether your Azure deployment is at risk — and how to verify, patch, or upgrade it safely.

How to Check If Azure Cache for Redis Is Affected by CVE-2025-28173 (Redis Sandpiper Vulnerability)

What Is Redis Sandpiper (CVE-2025-28173)?

Redis Sandpiper is a sandbox escape vulnerability found in Redis versions 8.0 through 8.2.1.
It allows attackers to break out of the Lua sandbox (a scripting environment within Redis) and potentially execute arbitrary code on the host system.

The issue stems from a change introduced in newer Lua implementations used by Redis 8.x, which could allow unsafe function access during script execution.

Is Azure Cache for Redis 6.0 Affected?

No — Azure Cache for Redis version 6.0 is not affected by CVE-2025-28173.

Here’s why:

The vulnerability only impacts Redis 8.x (specifically 8.0–8.2.1).
Azure’s Redis 6.0 instances use an older Lua engine that doesn’t include the new sandbox mechanism involved in Sandpiper.
Microsoft confirmed via Azure Q&A that Redis 6.0 and 7.x instances are not impacted.

So, if you’re running Redis 6.0 on Azure, you are safe from this specific vulnerability.

New Critical Vulnerability: CVE-2025-49844 (RediShell)

While Sandpiper may not affect your instance, another major Redis flaw called RediShell (CVE-2025-49844) does impact older versions — including 6.0.

This vulnerability allows attackers to exploit Lua scripting commands (EVAL, EVALSHA, FUNCTION) to execute malicious code under certain configurations.

Mitigation Steps:

Restrict Lua script access by disabling or limiting EVAL and FUNCTION commands using ACLs.
Ensure your Redis instance isn’t publicly exposed to the internet.
Upgrade to a patched release that includes fixes for this issue (see below).

How to Check Your Redis Version

You can verify your Redis version in Azure using either the Azure CLI or Redis CLI:

Option 1: Azure CLI

az redis show --name <your-cache-name> --resource-group <your-resource-group> --query redisVersion

Option 2: Redis CLI

If you have Redis command-line access:

INFO server

You’ll see output like:

redis_version:6.0.20

How to Check If You’re Vulnerable

For Sandpiper (CVE-2025-28173):

Only affects Redis 8.0–8.2.1.
Redis 6.0 in Azure is not vulnerable.

For RediShell (CVE-2025-49844):

Check if your instance allows Lua scripting (EVAL or FUNCTION).
Review ACLs to ensure untrusted users can’t execute scripts.
Confirm your Redis version is at least one of the patched releases.

How to Upgrade Redis on Azure

To apply security fixes or move to a newer Redis version:

Open Azure Portal → Navigate to your Redis resource.
Under Settings, select Advanced Settings → check available Redis versions.
If you’re on Redis 6.0, plan an upgrade to 6.2.20, 7.2.11, or 8.2.2 (these versions contain the latest fixes).
Use Export Data before upgrading to avoid data loss.
Deploy a new cache instance with the upgraded version and import your backup data.

Is There Any Cost Associated?

Upgrading or migrating your Redis instance may involve cost changes depending on:

SKU Tier: Upgrading from Basic/Standard to Premium changes cost.
Scaling: Larger memory or CPU sizes increase monthly rates.
Migration method: If you deploy a new cache instance temporarily, both instances may incur charges during transition.

You can estimate pricing using Microsoft’s Azure Pricing Calculator.

Read More:

If you rely heavily on Lua scripting, consider migrating to Redis 7.x with enhanced sandboxing and ACL control. Microsoft often rolls out version upgrades through new SKU tiers — so it’s worth checking if your current plan supports seamless migration.

How to Check If Azure Cache for Redis Is Affected by CVE-2025-28173 (Redis Sandpiper Vulnerability)