CVE-2025-48493 MEDIUM

CVE-2025-48493: Yii 2 Redis may expose AUTH paramters in logs in case of connection failure

Vendor Yiisoft
Product yii2-redis
Weakness CWE-532 · Sensitive info in logs
Published June 5, 2025
Last update June 9, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H

What the vulnerability does

01Description

The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue.

Key dates

02Disclosure timeline

June 5, 2025 CVE published
June 9, 2025 Record updated