Critical vulnerability reported in Yii 2 PHP framework
Take action: Update all Yii 2 installations to version 2.0.52 ASAP. You can't really hide with isolation, the framework is designed to be exposed to the internet.
Learn More
A critical security vulnerability, tracked as CVE-2024-58136 (CVSS score 9.1), has been reported in the Yii 2 PHP web application framework, affecting all versions prior to 2.0.52.
The vulnerability is a regression of a previously patched issue (CVE-2024-4990) and relates to Yii's Behavior system. The flaw occurs in how Yii handles the assignment of behaviors through the 'as behaviorName' => [...] syntax:
When the framework processes a value that isn't an instance of the Behavior class, it calls Yii::createObject($value) without proper type or configuration validation.
An attacker who can manipulate the $value parameter can exploit this to instantiate arbitrary PHP classes, supply malicious constructor arguments, and invoke setter method. Successful exploitation could lead to complete compromise of Yii-powered applications, potentially allowing attackers to:
- Execute arbitrary code on the target system
- Access sensitive data
- Take control of the application
Users of Yii 2 are strongly advised to upgrade immediately to version 2.0.52, which contains the security patch addressing this vulnerability. No alternative mitigations have been provided in the advisory.
