CVE-2025-48493: Yii 2 Redis may expose AUTH parameters in logs in case of connection failure

June 5, 2025 (updated June 6, 2025)

On failing connection extension writes commands sequence to logs. AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs.

References

github.com/advisories/GHSA-g3p6-82vc-43jh
github.com/yiisoft/yii2-redis
github.com/yiisoft/yii2-redis/commit/962252d2c57c187181e67bb66da3f27b4698358d
github.com/yiisoft/yii2-redis/security/advisories/GHSA-g3p6-82vc-43jh
nvd.nist.gov/vuln/detail/CVE-2025-48493

Code Behaviors & Features

Detect and mitigate CVE-2025-48493 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →