CVE-2020-15148 Overview
CVE-2020-15148 is a critical remote code execution vulnerability affecting Yii 2 (yiisoft/yii2) before version 2.0.38. The vulnerability stems from insecure deserialization, allowing attackers to execute arbitrary code when the application calls unserialize() on arbitrary user input. This type of object injection vulnerability is particularly dangerous in PHP applications, as it can lead to complete system compromise when exploited.
Critical Impact
Remote attackers can achieve arbitrary code execution on vulnerable Yii 2 applications that deserialize untrusted user input, potentially leading to complete server compromise, data theft, and lateral movement within the network.
Affected Products
- Yiiframework Yii versions prior to 2.0.38
- Applications using yiisoft/yii2 that call unserialize() on user-controlled input
- PHP applications built on vulnerable Yii 2 framework versions
Discovery Timeline
- 2020-09-15 - CVE-2020-15148 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-15148
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The core issue lies in the Yii 2 framework's handling of serialized PHP objects. When an application built on Yii 2 processes user-supplied serialized data through PHP's unserialize() function, an attacker can craft malicious serialized payloads that, upon deserialization, trigger dangerous "magic methods" such as __wakeup() or __destruct(). These methods can then execute arbitrary code in the context of the application.
The attack requires no authentication and can be executed remotely over the network. The scope of impact extends beyond the vulnerable component, potentially affecting the confidentiality, integrity, and availability of the entire system.
Root Cause
The root cause is the absence of proper safeguards in certain Yii 2 framework classes against unsafe deserialization. Specifically, classes like BatchQueryResult lacked a __wakeup() method that would prevent their instantiation through deserialization. Without explicit protection, PHP's native deserialization mechanism will reconstruct objects from serialized strings, potentially executing code through object property injection chains (also known as POP chains or gadget chains).
Attack Vector
The attack is conducted over the network and requires an application that:
- Uses a vulnerable version of Yii 2 (prior to 2.0.38)
- Calls unserialize() on data that can be influenced by user input
An attacker crafts a specially serialized PHP object containing a malicious payload. When this string is passed to unserialize(), the PHP engine reconstructs the object and any associated magic methods are invoked, leading to code execution. The exploit requires no user interaction or prior authentication.
// Security patch in framework/db/BatchQueryResult.php
// Source: https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
return null;
}
/**
* Unserialization is disabled to prevent remote code execution in case application
* calls unserialize() on user input containing specially crafted string.
* @see CVE-2020-15148
* @since 2.0.38
*/
public function __wakeup()
{
throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__);
}
}
Source: GitHub Commit Update
Detection Methods for CVE-2020-15148
Indicators of Compromise
- Unusual HTTP requests containing base64-encoded or URL-encoded serialized PHP objects (strings starting with O: or a:)
- Web application logs showing unexpected errors related to object instantiation or magic method execution
- Anomalous process spawning from web server processes (e.g., php-fpm, apache2, or nginx workers)
- Unexpected file system modifications or new files created in web-accessible directories
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block serialized PHP object patterns in request parameters, cookies, and POST data
- Implement runtime application self-protection (RASP) to monitor unserialize() calls and block suspicious payloads
- Use SentinelOne's behavioral AI to detect post-exploitation activities such as reverse shells or unauthorized process execution
- Perform code audits to identify all instances where unserialize() is called on user-controllable data
Monitoring Recommendations
- Enable detailed application logging for all deserialization operations and monitor for exceptions
- Set up alerts for unusual outbound network connections from web application servers
- Monitor for changes to framework files or unexpected Composer package modifications
- Implement file integrity monitoring on critical application directories
How to Mitigate CVE-2020-15148
Immediate Actions Required
- Upgrade Yii 2 framework to version 2.0.38 or later immediately
- Audit application code to identify all uses of unserialize() on user-controlled input
- Replace unserialize() with safer alternatives like json_decode() where possible
- If upgrading is not immediately possible, apply the workaround from the security advisory
Patch Information
The vulnerability is fixed in Yii 2 version 2.0.38. The patch adds a __wakeup() method to affected classes that throws a BadMethodCallException when deserialization is attempted, effectively preventing the exploitation of these classes as gadgets in POP chains. Organizations should update their Composer dependencies to pull the patched version.
For detailed patch information, refer to the GitHub Security Advisory GHSA-699q and the GitHub Commit Update.
Workarounds
- Avoid calling unserialize() on any user-supplied or externally-sourced data
- Use PHP's allowed_classes option with unserialize() to restrict which classes can be instantiated: unserialize($data, ['allowed_classes' => false])
- Implement input validation to reject data that appears to contain serialized PHP objects
- Consider using HMAC-based integrity verification for any serialized data that must be stored client-side
# Update Yii 2 framework via Composer
composer require "yiisoft/yii2:^2.0.38"
# Verify the installed version
composer show yiisoft/yii2 | grep versions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
