-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yiisoft/yii2-redis | composer | < 2.0.20 | 2.0.20 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability CVE-2025-48493 in yiisoft/yii2-redis concerns the logging of sensitive Redis AUTH parameters (username and password) in plain text when a connection to the Redis server fails. This occurs because the error message containing these parameters is passed to the SocketException constructor, which, before the patch, did not redact this sensitive information before it could be logged.
The provided commit 962252d2c57c187181e67bb66da3f27b4698358d directly addresses this issue by modifying the __construct method of the yii\redis\SocketException class. The patch introduces a regular expression replacement (preg_replace('~AUTH \S+ \S+~', 'AUTH *** ***', $message);) that specifically targets and redacts the AUTH command and its parameters from the error message when YII_DEBUG mode is not active.
Therefore, the yii\redis\SocketException::__construct method is identified as the vulnerable function because it was responsible for handling (and previously, not redacting) the error message that could contain these credentials. An attacker with access to the application logs where these exceptions are recorded could potentially retrieve the Redis credentials.
Ongoing coverage of React2Shell