CVE-2024-58136 Overview
CVE-2024-58136 is a critical remote code execution vulnerability affecting the Yii 2 PHP framework versions prior to 2.0.52. The vulnerability stems from improper handling of behavior attachment when defined using an __class array key, representing a regression of the previously patched CVE-2024-4990. This flaw has been actively exploited in the wild between February and April 2025, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog.
Critical Impact
This vulnerability enables unauthenticated remote attackers to achieve arbitrary code execution on affected Yii 2 applications through malicious behavior attachment, with confirmed active exploitation campaigns targeting production systems.
Affected Products
- Yiiframework Yii versions prior to 2.0.52
- Applications built on vulnerable Yii 2 framework versions
- CraftCMS and other platforms utilizing the Yii 2 framework
Discovery Timeline
- 2025-04-10 - CVE-2024-58136 published to NVD
- 2025-11-05 - Last updated in NVD database
Technical Details for CVE-2024-58136
Vulnerability Analysis
This vulnerability is classified under CWE-424 (Improper Protection of Alternate Path) and represents a critical regression in the Yii 2 framework's behavior attachment mechanism. The flaw occurs in the framework/base/Component.php file where the framework processes configuration arrays for attaching behaviors to components.
The root issue lies in the incomplete fix for CVE-2024-4990. While the original patch addressed behavior attachment via the class array key, it failed to account for the alternative __class array key syntax that Yii 2 also supports for object instantiation. Attackers can exploit this oversight to bypass the security controls and attach arbitrary behaviors to framework components, ultimately achieving remote code execution.
The vulnerability is particularly dangerous as it requires no authentication and can be exploited remotely over the network with low complexity. Active exploitation campaigns leveraging this vulnerability have been observed targeting CraftCMS installations and other Yii 2-based applications.
Root Cause
The vulnerability exists in the Component.php file's behavior attachment logic. The original security fix for CVE-2024-4990 only validated the class key when checking if a behavior configuration should be allowed. However, Yii 2 supports an alternative __class key for specifying object classes during instantiation. This oversight allowed attackers to bypass the security check by using __class instead of class in their malicious payloads.
Attack Vector
The attack vector is network-based, requiring no user interaction or prior authentication. Attackers can craft malicious HTTP requests containing specially formatted configuration data that includes the __class key to specify arbitrary PHP classes as behaviors. When the Yii 2 framework processes this data through vulnerable code paths, it instantiates and attaches the attacker-specified class, leading to arbitrary code execution on the server.
$name = trim(substr($name, 3));
if ($value instanceof Behavior) {
$this->attachBehavior($name, $value);
- } elseif (isset($value['class']) && is_subclass_of($value['class'], Behavior::class, true)) {
+ } elseif ((isset($value['class']) && is_subclass_of($value['class'], Behavior::class)) || (isset($value['__class']) && is_subclass_of($value['__class'], Behavior::class))) {
$this->attachBehavior($name, Yii::createObject($value));
} elseif (is_string($value) && is_subclass_of($value, Behavior::class, true)) {
$this->attachBehavior($name, Yii::createObject($value));
Source: GitHub Commit 40fe496
Detection Methods for CVE-2024-58136
Indicators of Compromise
- HTTP requests containing __class parameters in POST data or JSON payloads targeting Yii 2 application endpoints
- Unusual PHP process spawning or command execution on web servers running Yii 2 applications
- Web server access logs showing suspicious requests with serialized PHP data containing behavior attachment patterns
- File system changes indicating webshell deployment or unauthorized file creation
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing __class keys in request parameters
- Monitor PHP error logs for unexpected class instantiation errors or behavior attachment failures
- Deploy network-based intrusion detection signatures for known CVE-2024-58136 exploitation patterns
- Review application logs for anomalous object instantiation patterns or unauthorized behavior attachments
Monitoring Recommendations
- Enable verbose logging for Yii 2 framework component initialization and behavior attachment operations
- Implement file integrity monitoring on web application directories to detect webshell deployment
- Configure alerting for outbound connections from web server processes to detect post-exploitation activity
- Monitor for process execution chains involving PHP spawning shell commands or other suspicious child processes
How to Mitigate CVE-2024-58136
Immediate Actions Required
- Upgrade all Yii 2 framework installations to version 2.0.52 or later immediately
- If immediate patching is not possible, implement WAF rules to block requests containing __class parameters
- Review web server logs for indicators of prior exploitation attempts dating back to February 2025
- Conduct forensic analysis on potentially compromised systems, particularly CraftCMS installations
Patch Information
The Yii Framework development team has released version 2.0.52 which addresses this vulnerability. The fix modifies the behavior attachment logic in framework/base/Component.php to properly validate both class and __class array keys against the Behavior class before allowing instantiation.
Organizations should apply the patch by updating their Yii 2 framework dependency:
- Review the official Yii Framework security advisory for detailed upgrade instructions
- Examine the version comparison on GitHub to understand all changes included in the security release
- Reference the GitHub Pull Request #20232 for technical details on the fix
Workarounds
- Deploy Web Application Firewall rules to filter requests containing __class in request bodies or parameters
- Implement input validation at the application layer to reject configuration data containing __class keys from untrusted sources
- Consider network segmentation to limit the blast radius of potential compromise until patching is complete
- Disable or restrict access to endpoints that process user-controlled configuration data
# Example Composer update command to patch Yii 2
composer require "yiisoft/yii2:^2.0.52"
# Verify installed version
composer show yiisoft/yii2 | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
