CVE-2025-48493 – yiisoft/yii2-redis

Package

Manager: composer
Name: yiisoft/yii2-redis
Vulnerable Version: >=0 <2.0.20

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H

EPSS: 0.00058 pctl0.18181

Details

Yii 2 Redis may expose AUTH parameters in logs in case of connection failure ### Impact On failing connection extension writes commands sequence to logs. AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs.

Metadata

Created: 2025-06-05T16:53:23Z
Modified: 2025-06-06T15:59:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-g3p6-82vc-43jh/GHSA-g3p6-82vc-43jh.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-g3p6-82vc-43jh
Finding: F091
Auto approve: 1