CVE-2024-4990
published 2025-03-20CVE-2024-4990: In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a…
PriorityP273critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
79.39%
99.6th percentile
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 4.0.0-RC1 < 4.16.17 | 4.16.17 |
| craftcms | cms | >= 4.0.0-RC1 < 4.16.18 | 4.16.18 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.21 | 5.8.21 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.22 | 5.8.22 |
| yiiframework | yii | < 2.0.52 | 2.0.52 |
| yiiframework | yii | — | — |
| yiiframework | yii | >= 2 < 2.0.52 | 2.0.52 |
| yiisoft | yii2 | >= 0 < 2.0.52 | 2.0.52 |
| yiisoft | yii2 | >= 0 < 2.0.49.4 | 2.0.49.4 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
osv·2026-02-09
CVE-2026-25498 [HIGH] Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
## Relationship to Previously Patched Vulnerability
This vulnerability is **in addition to** the RCE vulnerability patched in [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5). That advisory addressed a similar RCE vulnerability that affected two specific routes:
- `/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings`
- `/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview`
This one addresses some additional endpoints that were not covered in the https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5.
The patched vulnerability used a malicious `AttributeTypecastBehavior` with a wildcard event listen
GHSA
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
ghsa·2026-02-09
CVE-2026-25498 [HIGH] CWE-470 Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
## Relationship to Previously Patched Vulnerability
This vulnerability is **in addition to** the RCE vulnerability patched in [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5). That advisory addressed a similar RCE vulnerability that affected two specific routes:
- `/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings`
- `/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview`
This one addresses some additional endpoints that were not covered in the https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5.
The patched vulnerability used a malicious `AttributeTypecastBehavior` with a wildcard event listen
OSV
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
osv·2026-01-05·CVSS 9.1
CVE-2025-68455 [CRITICAL] Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Note that attackers must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Resources:
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
### Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team deni
GHSA
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
ghsa·2026-01-05·CVSS 9.1
CVE-2025-68455 [CRITICAL] CWE-470 Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Note that attackers must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Resources:
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
### Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team deni
OSV
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
osv·2025-04-10·CVSS 9.1
CVE-2024-58136 [CRITICAL] yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
GHSA
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
ghsa·2025-04-10·CVSS 9.1
CVE-2024-58136 [CRITICAL] CWE-424 yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
OSV
Unsafe Reflection in base Component class in yiisoft/yii2
osv·2024-06-02
CVE-2024-4990 [HIGH] Unsafe Reflection in base Component class in yiisoft/yii2
Unsafe Reflection in base Component class in yiisoft/yii2
Yii2 supports attaching Behaviors to Components by setting properties having the format `'as '`.
Internally this is done using the `__set()` magic method. If the value passed to this method is not an instance of the `Behavior` class, a new object is instantiated using `Yii::createObject($value)`. However, there is no validation check that verifies that `$value` is a valid `Behavior` class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.
### Impact
With some effort malicious code can be injected executed which might be anything ranging from deleting files to dropping database tabl
GHSA
Unsafe Reflection in base Component class in yiisoft/yii2
ghsa·2024-06-02
CVE-2024-4990 [HIGH] CWE-470 Unsafe Reflection in base Component class in yiisoft/yii2
Unsafe Reflection in base Component class in yiisoft/yii2
Yii2 supports attaching Behaviors to Components by setting properties having the format `'as '`.
Internally this is done using the `__set()` magic method. If the value passed to this method is not an instance of the `Behavior` class, a new object is instantiated using `Yii::createObject($value)`. However, there is no validation check that verifies that `$value` is a valid `Behavior` class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.
### Impact
With some effort malicious code can be injected executed which might be anything ranging from deleting files to dropping database tabl
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published