CVE-2025-48493: 
PHP vulnerability analysis and mitigation

CVE-2025-48493 affects the Yii 2 Redis extension, which provides Redis key-value store support for the Yii framework 2.0. The vulnerability was discovered and disclosed on June 5, 2025, affecting versions prior to 2.0.20. The issue involves the exposure of authentication credentials in log files when connection failures occur (GitHub Advisory).

When a connection failure occurs, the Yii 2 Redis extension writes command sequences to logs, including AUTH parameters in plain text which expose username and password credentials. The vulnerability has been assigned a CVSS v4.0 base score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H. The issue is classified under CWE-532 (Insertion of Sensitive Information into Log File) (GitHub Advisory, NVD).

The vulnerability could lead to the exposure of Redis authentication credentials if an attacker gains access to the application logs. This could potentially allow unauthorized access to the Redis database if the attacker has network access to the Redis server (GitHub Advisory).

The vulnerability has been fixed in version 2.0.20 of the Yii 2 Redis extension. The fix prevents logging of AUTH parameters when YII_DEBUG is off by implementing credential masking in the SocketException class (GitHub Commit).