Code Injection Vulnerability in Yii Framework by Yii Software
CVE-2024-58136
Key Information:
- Vendor
Yiiframework
- Status
- Vendor
- CVE Published:
- 10 April 2025
Badges
What is CVE-2024-58136?
CVE-2024-58136 is a vulnerability found in the Yii Framework, a popular PHP framework widely used for developing web applications. Specifically, this flaw affects versions of Yii 2 prior to 2.0.52, whereby the framework mishandles the attachment of behaviors based on an improperly managed __class array key. Such a vulnerability can expose organizations to various security risks, potentially leading to malicious code execution and further exploitation by threat actors. Given that Yii Framework is utilized in numerous applications, the implications of this vulnerability are considerable, as it could compromise the integrity and confidentiality of sensitive data managed by these applications.
Technical Details
CVE-2024-58136 identifies a code injection vulnerability arising from a regression issue linked to CVE-2024-4990. This vulnerability is rooted in improper handling of the __class array key, which can lead to unexpected behavior during the attachment of application behaviors. Yii’s broader ecosystem relies heavily on the correct functionality of these components for maintaining the security and stability of applications built on it. Although there are no known exploitations of this vulnerability at present, the nature of code injection vulnerabilities makes them particularly dangerous, as they can be leveraged to gain unauthorized control over affected systems.
Potential impact of CVE-2024-58136
-
Remote Code Execution: The most significant risk presented by this vulnerability is the potential for remote code execution. Attackers may exploit this flaw to inject malicious code into web applications, executing arbitrary commands on the server, which can lead to full system compromise.
-
Data Breach: Exploiting this vulnerability could allow attackers to access sensitive data stored within applications leeching from the Yii Framework. This could result in unauthorized retrieval of personal, financial, or proprietary information, leading to severe data breaches.
-
Service Disruption: The misuse of this vulnerability might not only let attackers hijack control over systems but could also enable them to disrupt normal service operations. By executing harmful commands, attackers could introduce instability, leading to application outages and degraded service performance for users.
CISA has reported CVE-2024-58136
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-58136 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Yii 2 < 2.0.52
News Articles
CISA (.gov)CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
2 weeks ago
Craft CMS RCE exploit chain used in zero-day attacks to steal data
Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense.
1 month ago
References
EPSS Score
27% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved