Skip to main content

CVE-2025-48493: CWE-532: Insertion of Sensitive Information into Log File in yiisoft yii2-redis

Medium
VulnerabilityCVE-2025-48493cvecve-2025-48493cwe-532
Published: Thu Jun 05 2025 (06/05/2025, 16:33:20 UTC)
Source: CVE Database V5
Vendor/Project: yiisoft
Product: yii2-redis

Description

The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue.

AI-Powered Analysis

AILast updated: 07/07/2025, 15:57:46 UTC

Technical Analysis

CVE-2025-48493 is a medium-severity vulnerability affecting the yii2-redis extension of the Yii framework version prior to 2.0.20. This extension facilitates Redis key-value store support for Yii framework 2.0 applications. The vulnerability arises from the way the extension handles failed Redis connection attempts: it logs the sequence of commands including the AUTH parameters in plaintext. Specifically, when a connection fails, the username and password used for authentication are recorded in the log files without any masking or encryption. This behavior exposes sensitive credentials to anyone with access to these logs, which could be internal users or attackers who have gained partial access to the system. The vulnerability is classified under CWE-532, which concerns the insertion of sensitive information into log files. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:H), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The scope is limited (SC:L), and the severity is medium. The issue was fixed in version 2.0.20 of yii2-redis, which prevents logging sensitive AUTH credentials. No known exploits are currently reported in the wild. This vulnerability primarily poses a risk when attackers or unauthorized users have access to log files, which could be through lateral movement, insider threats, or misconfigured log access controls. The risk is that exposed credentials could be used to gain unauthorized access to Redis instances, potentially leading to data exposure or manipulation.

Potential Impact

For European organizations using the Yii framework with the yii2-redis extension versions prior to 2.0.20, this vulnerability could lead to credential leakage if logs are accessible to unauthorized parties. Redis is often used as a caching layer or session store, and unauthorized access could allow attackers to manipulate cached data, session information, or application state, potentially leading to data integrity issues or privilege escalation. The exposure of authentication credentials in logs increases the risk of lateral movement within networks if attackers compromise a less privileged system and access logs. This risk is heightened in environments where log files are stored on shared or poorly secured storage or where log retention policies are lax. Given the medium severity and the requirement for some level of privilege to exploit (access to logs), the impact is moderate but could escalate if combined with other vulnerabilities or misconfigurations. European organizations with compliance requirements around data protection (e.g., GDPR) must consider the risk of sensitive credential exposure and potential data breaches resulting from unauthorized Redis access. The vulnerability does not directly lead to remote code execution or denial of service but can be a stepping stone for further attacks.

Mitigation Recommendations

1. Upgrade yii2-redis to version 2.0.20 or later, where the vulnerability is fixed and AUTH parameters are no longer logged in plaintext. 2. Restrict access to log files strictly using file system permissions and access control lists to ensure only authorized personnel and processes can read logs. 3. Implement centralized logging solutions with encryption and access controls to prevent unauthorized log access. 4. Regularly audit logs and access permissions to detect any unauthorized access attempts. 5. Rotate Redis authentication credentials regularly and immediately after any suspected exposure. 6. Monitor Redis server access logs and application logs for unusual authentication failures or access patterns. 7. Consider using environment variables or secure vault solutions to manage Redis credentials, minimizing their exposure in application configurations and logs. 8. Educate developers and system administrators about the risks of logging sensitive information and enforce secure logging practices across the organization.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-22T12:11:39.121Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6841c953182aa0cae2e70b16

Added to database: 6/5/2025, 4:44:03 PM

Last enriched: 7/7/2025, 3:57:46 PM

Last updated: 8/18/2025, 5:23:37 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats