CVE-2024-58136
Published: 10 April 2025
Summary
CVE-2024-58136 is a critical-severity Improper Protection of Alternate Path (CWE-424) vulnerability in Yiiframework Yii. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Yii 2 before version 2.0.52 contains a vulnerability that mishandles attachment of behaviors specified via an __class array key. The flaw is a regression of CVE-2024-4990 and affects the Yii framework's behavior attachment logic, allowing improper class resolution during object configuration.
An unauthenticated remote attacker can supply a crafted configuration array over the network to trigger the issue. Successful exploitation yields full control over the affected application, including arbitrary code execution and impacts to confidentiality, integrity, and availability, as reflected in the CVSS 9.0 score with changed scope.
Official references direct users to upgrade to Yii 2.0.52. The fix is documented in the project's GitHub commit 40fe496eda529fd1d933b56a1022ec32d3cd0b12, the 2.0.51-to-2.0.52 diff, pull request 20232, and the Yii Framework security advisory that explicitly recommends immediate patching.
The CVE was exploited in the wild between February and April 2025, coinciding with EPSS values that reached a peak of 0.7895 and remain at 0.7726.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10502
Vulnerability details
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
- CWE(s)
- KEV Date Added
- 02 May 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (upgrade to Yii 2.0.52) that restores validation of the __class key and eliminates the unsafe instantiation path.
Enforces validation of all supplied configuration arrays (including behavior definitions containing __class) before any class loading or instantiation occurs.
Requires integrity verification of application code and configuration data to detect or block unauthorized class-loading behavior introduced via the vulnerable attachment logic.