CVE-2025-48493 is a medium-severity vulnerability affecting the yii2-redis extension of the Yii framework version prior to 2.0.20. This extension facilitates Redis key-value store support for Yii framework 2.0 applications. The vulnerability arises from the way the extension handles failed Redis connection attempts: it logs the sequence of commands including the AUTH parameters in plaintext. Specifically, when a connection fails, the username and password used for authentication are recorded in the log files without any masking or encryption. This behavior exposes sensitive credentials to anyone with access to these logs, which could be internal users or attackers who have gained partial access to the system. The vulnerability is classified under CWE-532, which concerns the insertion of sensitive information into log files. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:H), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The scope is limited (SC:L), and the severity is medium. The issue was fixed in version 2.0.20 of yii2-redis, which prevents logging sensitive AUTH credentials. No known exploits are currently reported in the wild. This vulnerability primarily poses a risk when attackers or unauthorized users have access to log files, which could be through lateral movement, insider threats, or misconfigured log access controls. The risk is that exposed credentials could be used to gain unauthorized access to Redis instances, potentially leading to data exposure or manipulation.

For European organizations using the Yii framework with the yii2-redis extension versions prior to 2.0.20, this vulnerability could lead to credential leakage if logs are accessible to unauthorized parties. Redis is often used as a caching layer or session store, and unauthorized access could allow attackers to manipulate cached data, session information, or application state, potentially leading to data integrity issues or privilege escalation. The exposure of authentication credentials in logs increases the risk of lateral movement within networks if attackers compromise a less privileged system and access logs. This risk is heightened in environments where log files are stored on shared or poorly secured storage or where log retention policies are lax. Given the medium severity and the requirement for some level of privilege to exploit (access to logs), the impact is moderate but could escalate if combined with other vulnerabilities or misconfigurations. European organizations with compliance requirements around data protection (e.g., GDPR) must consider the risk of sensitive credential exposure and potential data breaches resulting from unauthorized Redis access. The vulnerability does not directly lead to remote code execution or denial of service but can be a stepping stone for further attacks.

1. Upgrade yii2-redis to version 2.0.20 or later, where the vulnerability is fixed and AUTH parameters are no longer logged in plaintext. 2. Restrict access to log files strictly using file system permissions and access control lists to ensure only authorized personnel and processes can read logs. 3. Implement centralized logging solutions with encryption and access controls to prevent unauthorized log access. 4. Regularly audit logs and access permissions to detect any unauthorized access attempts. 5. Rotate Redis authentication credentials regularly and immediately after any suspected exposure. 6. Monitor Redis server access logs and application logs for unusual authentication failures or access patterns. 7. Consider using environment variables or secure vault solutions to manage Redis credentials, minimizing their exposure in application configurations and logs. 8. Educate developers and system administrators about the risks of logging sensitive information and enforce secure logging practices across the organization.