Vulnerability in Yii Framework Affects Behavior Class Validation
CVE-2024-4990

9.1CRITICAL

Key Information:

Vendor: Yiisoft
Status: Yiisoft/yii2
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-4990?

In version 2.0.48 of Yii Framework, a vulnerability exists in the base Component class where the __set() magic method fails to validate the value for behavior classes or configurations. This flaw enables attackers to instantiate arbitrary classes, potentially leading to various attacks such as executing unauthorized code, accessing sensitive information, or other harmful exploits based on the dependencies in use. Developers must take immediate action to address this significant security concern.

Affected Version(s)

yiisoft/yii2 <= unspecified

References

https://huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
May 16, 2024

Yiisoft

What is CVE-2024-4990?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline