CVE-2025-48493: 
PHP vulnerability analysis and mitigation

The Yii 2 Redis extension, which provides Redis key-value store support for the Yii framework 2.0, contains a security vulnerability identified as CVE-2025-48493. The vulnerability was discovered and disclosed on June 5, 2025, affecting versions prior to 2.0.20. When a connection failure occurs, the extension writes command sequences to logs, including AUTH parameters in plain text which expose username and password credentials (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v4.0 base score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H. The issue is classified under CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability specifically involves the exposure of authentication credentials in log files when connection failures occur, with AUTH parameters being written in plain text (GitHub Advisory, Wiz).

The vulnerability could lead to the exposure of Redis authentication credentials if an attacker gains access to the application logs. This could potentially allow unauthorized access to the Redis database if the attacker has network access to the Redis server (GitHub Advisory).

The vulnerability has been fixed in version 2.0.20 of the Yii 2 Redis extension. The fix prevents logging of AUTH parameters when YII_DEBUG is off by implementing credential masking in the SocketException class (GitHub Commit).