redis
diff --git a/‎.github/workflows/integration.yaml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/integration.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎redis/asyncio/connection.py‎
Lines changed: 16 additions & 1 deletion b/‎redis/asyncio/connection.py‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎redis/cluster.py‎
Lines changed: 16 additions & 11 deletions b/‎redis/cluster.py‎
Lines changed: 16 additions & 11 deletions
diff --git a/‎redis/connection.py‎
Lines changed: 16 additions & 1 deletion b/‎redis/connection.py‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎tests/test_asyncio/test_connection_pool.py‎
Lines changed: 25 additions & 0 deletions b/‎tests/test_asyncio/test_connection_pool.py‎
Lines changed: 25 additions & 0 deletions
@@ -45,6 +45,7 @@ jobs:
           ignore-vulns: |
             GHSA-w596-4wvx-j9j6  # subversion related git pull, dependency for pytest. There is no impact here.
             CVE-2026-26007 # dependency for entraid tests
+            CVE-2026-32597 # PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515, this will be fixed in the next release
 
   lint:
     name: Code linters
 
@@ -1308,8 +1308,23 @@ def __init__(
         if self._event_dispatcher is None:
             self._event_dispatcher = EventDispatcher()
 
+    # Keys that should be redacted in __repr__ to avoid exposing sensitive information
+    SENSITIVE_REPR_KEYS = frozenset(
+        {
+            "password",
+            "username",
+            "ssl_password",
+            "credential_provider",
+        }
+    )
+
     def __repr__(self):
-        conn_kwargs = ",".join([f"{k}={v}" for k, v in self.connection_kwargs.items()])
+        conn_kwargs = ",".join(
+            [
+                f"{k}={'<REDACTED>' if k in self.SENSITIVE_REPR_KEYS else v}"
+                for k, v in self.connection_kwargs.items()
+            ]
+        )
         return (
             f"<{self.__class__.__module__}.{self.__class__.__name__}"
             f"(<{self.connection_class.__module__}.{self.connection_class.__name__}"
 
@@ -1560,7 +1560,7 @@ def _execute_command(self, target_node, *args, **kwargs):
                 self._record_command_metric(
                     command_name=command,
                     duration_seconds=time.monotonic() - start_time,
-                    connection=connection,
+                    connection=e.connection,
                     error=e,
                 )
                 raise
@@ -1576,7 +1576,7 @@ def _execute_command(self, target_node, *args, **kwargs):
                 self._record_command_metric(
                     command_name=command,
                     duration_seconds=time.monotonic() - start_time,
-                    connection=connection,
+                    connection=e.connection,
                     error=e,
                 )
                 raise
@@ -1615,11 +1615,10 @@ def _execute_command(self, target_node, *args, **kwargs):
 
                 # DON'T set redis_connection = None - keep the pool for reuse
                 self.nodes_manager.initialize()
-                e.connection = connection
                 self._record_command_metric(
                     command_name=command,
                     duration_seconds=time.monotonic() - start_time,
-                    connection=connection,
+                    connection=e.connection,
                     error=e,
                 )
                 raise e
@@ -1723,17 +1722,19 @@ def _execute_command(self, target_node, *args, **kwargs):
                 self._record_command_metric(
                     command_name=command,
                     duration_seconds=time.monotonic() - start_time,
-                    connection=connection,
+                    connection=e.connection,
                     error=e,
                 )
                 raise
             except ResponseError as e:
                 # this is used to report the metrics based on host and port info
-                e.connection = connection
+                # ResponseError typically happens after get_connection() succeeds,
+                # so connection should be available
+                e.connection = connection if connection else target_node
                 self._record_command_metric(
                     command_name=command,
                     duration_seconds=time.monotonic() - start_time,
-                    connection=connection,
+                    connection=e.connection,
                     error=e,
                 )
                 raise
@@ -1748,7 +1749,7 @@ def _execute_command(self, target_node, *args, **kwargs):
                 self._record_command_metric(
                     command_name=command,
                     duration_seconds=time.monotonic() - start_time,
-                    connection=connection,
+                    connection=e.connection,
                     error=e,
                 )
                 raise e
@@ -1780,12 +1781,16 @@ def _record_command_metric(
         """
         Records operation duration metric directly.
         """
+        host = connection.host if connection else "unknown"
+        port = connection.port if connection else 0
+        db = str(connection.db) if connection and hasattr(connection, "db") else "0"
+
         record_operation_duration(
             command_name=command_name,
             duration_seconds=duration_seconds,
-            server_address=connection.host,
-            server_port=connection.port,
-            db_namespace=str(connection.db),
+            server_address=host,
+            server_port=port,
+            db_namespace=db,
             error=error,
         )
 
 
@@ -2876,8 +2876,23 @@ def __init__(
 
         self.reset()
 
+    # Keys that should be redacted in __repr__ to avoid exposing sensitive information
+    SENSITIVE_REPR_KEYS = frozenset(
+        {
+            "password",
+            "username",
+            "ssl_password",
+            "credential_provider",
+        }
+    )
+
     def __repr__(self) -> str:
-        conn_kwargs = ",".join([f"{k}={v}" for k, v in self.connection_kwargs.items()])
+        conn_kwargs = ",".join(
+            [
+                f"{k}={'<REDACTED>' if k in self.SENSITIVE_REPR_KEYS else v}"
+                for k, v in self.connection_kwargs.items()
+            ]
+        )
         return (
             f"<{self.__class__.__module__}.{self.__class__.__name__}"
             f"(<{self.connection_class.__module__}.{self.connection_class.__name__}"
 
@@ -418,6 +418,31 @@ def test_repr_contains_db_info_unix(self):
         expected = "path=abc,db=0,client_name=test-client"
         assert expected in repr(pool)
 
+    def test_repr_redacts_sensitive_information(self):
+        """Test that __repr__ redacts sensitive values like password and username."""
+        pool = ConnectionPool(
+            host="localhost",
+            port=6379,
+            password="secret_password_123",
+            username="myuser",
+            ssl_password="ssl_secret_456",
+            db=0,
+        )
+        repr_output = repr(pool)
+
+        # Verify sensitive values are redacted
+        assert "secret_password_123" not in repr_output
+        assert "myuser" not in repr_output
+        assert "ssl_secret_456" not in repr_output
+
+        # Verify the REDACTED placeholder is present
+        assert "<REDACTED>" in repr_output
+
+        # Verify non-sensitive values are still visible
+        assert "host=localhost" in repr_output
+        assert "port=6379" in repr_output
+        assert "db=0" in repr_output
+
 
 class TestConnectionPoolURLParsing:
     def test_hostname(self):