Earlier this week, Wiz Research disclosed a critical remote code execution (RCE) vulnerability known as RediShell (CVE-2025-49844), which is present in both Redis® and its open-source fork Valkey. This vulnerability affects the Redis 6.x and Valkey 8.x versions currently used by Render Key Value instances.
We have found no evidence that this vulnerability has been exploited on Render. To address it, we have scheduled maintenance to upgrade all affected Render Key Value instances to the following patched versions:
- Redis 6.2.20
- Valkey 8.1.4
Action is recommended, but not required. If you take no action, maintenance will occur at your instance's scheduled time. Workspace owners will receive an email listing their affected instances and their respective maintenance times.
We recommend running this maintenance at your earliest convenience from your instance's page in the Render Dashboard. Note that when maintenance begins, your instance will be unavailable for approximately one minute.
Render Key Value instances are protected by multiple layers of security. By default, Key Value instances block all inbound traffic from the public internet, and they accept external connections only from explicitly allowed IP ranges. Additionally, all external connections to a Key Value instance require authentication.
To further strengthen security for your Key Value instances, you can also take the following actions:
- Audit the list of allowed IP ranges for each of your Key Value instances (see the docs).
- Revoke access from any IP ranges that are not necessary.
- Require authentication for private network connections.
- Private network connections don't require authentication by default, because they always originate from your own Render services.
We continuously monitor the security of the Render platform and its open-source components. We remain proactive and steadfast in applying prompt updates to keep customer data and services secure. If you have any questions, please reach out to our support team in the Render Dashboard.