CVE-2024-58136
CVE-2024-58136
In short
Yii 2 framework versions before 2.0.52 have a flaw that allows attackers to exploit how behaviors are attached using a __class array key, enabling unauthorized code execution. This is a regression from a previous fix and was actively exploited in the wild.
Technical detail
CWE-424 (Unrestricted Upload of File with Dangerous Type) relates to unsafe object instantiation via the __class parameter in behavior attachment. The vulnerability allows remote code execution when untrusted input is processed during behavior configuration, with no authentication required. Exploitation involves crafting malicious payloads in behavior definitions that instantiate arbitrary classes, a regression from CVE-2024-4990.
Summary generated and translated by AI from the official description.
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
yiiframework · YiiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52https://github.com/yiisoft/yii2/pull/20232https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52