If you build web applications using the PHP Yii2 framework, you might use the Yii2 Redis extension to connect your app to a Redis database. Redis often requires authentication, and the extension helps manage that process behind the scenes.
But, recently, a serious security issue was found in versions of the extension before 2..20. If your Redis connection fails, the library may write your Redis username and password in plain text to the application log files—which can be a disaster if log access is not well secured. This vulnerability was given identifier CVE-2025-48493.
Let’s break down what this means, how it works, and how to fix it.
What is Yii 2 Redis Extension?
The Yii2 Redis Extension is a popular official plugin for Yii2. that lets you interact with a Redis server, using it for caching, sessions, queues, and more. To connect to the server, you usually supply endpoint, port, and AUTH credentials (username and password).
Found in: yiisoft/yii2-redis versions before 2..20
Problem:
When making a connection to Redis, the extension keeps a record of the sequence of commands sent to the server. If there’s a connection failure—for example, your server is slow or you misconfigure the port—it writes the whole set of commands to your application logs for troubleshooting.
But: the exact pipeline of commands, including the AUTH command and its parameters, gets saved as raw text.
If your Redis connection configuration looks like this
return [
'class' => 'yii\redis\Connection',
'hostname' => 'localhost',
'port' => 6379,
'username' => 'redis-user',
'password' => 'SuperSecretPasswrd',
];
On a failed connection, an entry very much like this can appear in your logs (*shortened for clarity*):
[error][yii\redis\Connection::open] Redis connection failed: ...
Commands sent:
AUTH redis-user SuperSecretPasswrd
SELECT
> Notice how the log includes both the username and password in plain text! Anyone with access to logs can now grab your Redis credentials.
Why is This Bad?
- Log files are very often accessible to developers, admins, and, if not well-protected, even to attackers who get onto your server or find misconfigured log servers.
- Redis credentials might allow someone to read, write, or delete data; sometimes they even enable code execution or lateral movement in your system.
Exploit Scenario
What an attacker can do:
If they gain access to application logs (sometimes through vulnerabilities like Log4Shell, though that’s not PHP-specific), they can simply *search logs for the word 'AUTH'* and in seconds recover credentials.
Sample Exploit (log file search)
grep 'AUTH' /path/to/app/runtime/logs/app.log
Output
AUTH redis-user SuperSecretPasswrd
Now, using popular Redis CLI, they could try
redis-cli -h <target-host> -a SuperSecretPasswrd -u redis-user
Mitigation & Update
- The fix: yiisoft/yii2-redis version 2..20 released on GitHub removes authentication credentials from logging.
`sh
composer require "yiisoft/yii2-redis:^2..20"
`
- Review your logs: Search through existing logs for any leaked credentials and rotate/change all affected passwords right away.
Original References
- Security Advisory: Credentials leak in logs
- Release notes for 2..20
- Yii2 Redis Extension: GitHub repository
Summary Table
| Version | Status | Credentials Leaked? |
|-----------------|------------|---------------------|
| < 2..20 | Vulnerable | Yes |
| 2..20 or later | Patched | No |
Conclusion
CVE-2025-48493 reminds us that “little” debug conveniences can expose sensitive data to risk. If you use Yii2 with Redis—and especially if your applications sit on shared servers or in the cloud—*make sure you patch up right away*, and never treat your logs as garbage! They may tell stories you don’t expect.
Stay safe. Patch, audit, and review logs now.
*Exclusive content written for your security awareness. For comments or corrections, please check the official Yii2 Redis project and advisories.*
Timeline
Published on: 06/05/2025 17:15:29 UTC
Last modified on: 06/05/2025 20:12:23 UTC