Yii 2 Redis may expose AUTH paramters in logs in case of connection failure
Description
The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yii 2 Redis extension prior to v2.0.20 logs AUTH credentials in plaintext on connection failure, risking credential exposure to attackers with log access.
Vulnerability
Overview The Yii 2 Redis extension, which provides Redis key-value store support for the Yii framework 2.0, contains a vulnerability in versions prior to 2.0.20 where AUTH parameters (username and password) are written in plain text to logs upon a failed connection attempt [1][2]. This issue occurs because the extension logs the entire command sequence without sanitizing sensitive authentication parameters [1].
Exploitation
Scenario An attacker does not need to be authenticated to the vulnerable system initially, but must have access to the application's log files [1][2]. This could be achieved through separate vulnerabilities (e.g., path traversal, log file injection) or through shared access to log storage. The attack vector is local or network-based depending on log accessibility, and no additional privileges are required beyond read access to the logs [1].
Impact
Successful exploitation allows an attacker to retrieve Redis credentials in plain text, potentially compromising the Redis instance and any data or services relying on it (e.g., Cache, Session, ActiveRecord) [1][2]. The CVSS v4.0 severity has not yet been assigned by NVD, but the vulnerability exposes sensitive authentication material [2].
Mitigation
The vulnerability is fixed in version 2.0.20 of the yiisoft/yii2-redis extension [1][2]. Users should upgrade to this version or later. The fix prevents logging of AUTH parameters on connection failure [3]. There are no known workarounds; applying the update is the recommended mitigation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yii2-redisPackagist | < 2.0.20 | 2.0.20 |
Affected products
2- Range: < 2.0.20
- yiisoft/yii2-redisv5Range: < 2.0.20
Patches
1962252d2c57cMerge commit from fork
2 files changed · +9 −0
CHANGELOG.md+1 −0 modified@@ -5,6 +5,7 @@ Yii Framework 2 redis extension Change Log ------------------------ - Bug #270: Prevent null parameter on `mb_strlen` to avoid PHP 8.4 implicity nullable types deprecation (tehmaestro) +- Bug CVE-2025-48493: Prevent logging `AUTH` parameters when `YII_DEBUG` is off (samdark) 2.0.19 February 13, 2025
src/SocketException.php+8 −0 modified@@ -15,6 +15,14 @@ */ class SocketException extends Exception { + public function __construct($message = null, $code = 0, \Exception $previous = null) + { + if (!YII_DEBUG) { + $message = preg_replace('~AUTH \S+ \S+~', 'AUTH *** ***', $message); + } + parent::__construct($message, $code, $previous); + } + /** * @return string the user-friendly name of this exception */
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g3p6-82vc-43jhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48493ghsaADVISORY
- github.com/yiisoft/yii2-redis/commit/962252d2c57c187181e67bb66da3f27b4698358dghsax_refsource_MISCWEB
- github.com/yiisoft/yii2-redis/security/advisories/GHSA-g3p6-82vc-43jhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.