Audit redis instrumentation for CVE in redis-py < 7.4.0 password leak

mitchh456 · claude · mitchh456 · commit 245246206d3a · 2026-03-31T19:38:13.000Z
redis-py < 7.4.0 exposed passwords in ConnectionPool.__repr__(). Scout APM only wraps Redis.execute_command() and Pipeline.execute() and never accesses ConnectionPool.__repr__(), so we are not affected. Add a security note documenting this finding. Closes #841 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/src/scout_apm/instruments/redis.py b/src/scout_apm/instruments/redis.py
@@ -1,5 +1,10 @@
 # coding=utf-8
 
+# Security note (redis-py 7.4.0, see https://github.com/scoutapp/scout_apm_python/issues/841):
+# redis-py < 7.4.0 leaked passwords in ConnectionPool.__repr__().
+# Scout APM is NOT affected: we only wrap Redis.execute_command() and
+# Pipeline.execute() and never call or log ConnectionPool.__repr__().
+
 import logging
 
 import wrapt
