52,874 are connected to the internet according to Shodan.https://www.shodan.io/search?query=redis+product%3A%22Redis+... Not affiliated with them.

I’d imagine recent uptick in using services like Upstash may make it harder for people to know if they are vulnerable or not. Is this mitigated by disabling Lua script execution?

Upstash wouldn’t be vulnerable - Upstash doesn’t run upstream redis, it’s a protocol-compatible proprietary implementation.

I would guess it is.

Also:

> Exploitation of this vulnerability requires an attacker to first gain authenticated access to your Redis instance.

it used to possible to execute redis commands against localhost from the web browser using domain rebinding. but i think redis did something to the protocol to fix this. also, this is only really relevant for developers.