Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-2690

CVE-2025-2690: Yiiframework Yii RCE Vulnerability

CVE-2025-2690 is a critical remote code execution vulnerability in Yiiframework Yii2 up to version 2.0.39 caused by insecure deserialization. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-2690 Overview

A critical insecure deserialization vulnerability has been discovered in yiisoft Yii2 framework versions up to 2.0.39. This vulnerability affects the Generate function within the file phpunit\src\Framework\MockObject\MockClass.php. The flaw allows remote attackers to manipulate deserialization processes, potentially leading to arbitrary code execution on vulnerable systems.

Critical Impact

Remote attackers can exploit this deserialization vulnerability to execute arbitrary code, potentially gaining full control over affected web applications and underlying server infrastructure.

Affected Products

  • Yiiframework Yii versions up to 2.0.39
  • Applications built using the vulnerable Yii2 framework
  • Systems utilizing PHPUnit MockObject functionality within Yii2

Discovery Timeline

  • 2025-03-24 - CVE-2025-2690 published to NVD
  • 2025-03-24 - Last updated in NVD database

Technical Details for CVE-2025-2690

Vulnerability Analysis

This insecure deserialization vulnerability (CWE-502) exists in the Yii2 framework's PHPUnit integration, specifically within the MockClass component. The vulnerability stems from improper input validation (CWE-20) when processing serialized data through the Generate function.

Insecure deserialization occurs when an application deserializes untrusted data without proper validation, allowing attackers to inject malicious serialized objects. In PHP applications like those built with Yii2, this can lead to object injection attacks where attackers can instantiate arbitrary objects and invoke magic methods such as __wakeup() or __destruct() to achieve code execution.

The network-accessible nature of this vulnerability means it can be exploited remotely without requiring significant attacker privileges, making it particularly dangerous for internet-facing Yii2 applications.

Root Cause

The root cause of this vulnerability lies in the improper handling of serialized data within the MockClass.php file. The Generate function fails to adequately validate or sanitize input before deserialization, allowing malicious payloads to be processed. This lack of input validation enables attackers to craft specially designed serialized objects that exploit PHP's object instantiation mechanisms.

Attack Vector

The attack vector for CVE-2025-2690 is network-based, allowing remote exploitation. An attacker can craft a malicious serialized payload and send it to a vulnerable Yii2 application endpoint that processes the data through the affected Generate function. Upon deserialization, the malicious payload triggers arbitrary code execution through PHP's magic method invocation chain.

The exploitation technique typically involves identifying gadget chains within the application's codebase that can be leveraged during deserialization to achieve code execution. Technical details and exploitation guidance have been publicly disclosed. For more information, see the GitHub Exploit Guide and VulDB CTI #300711.

Detection Methods for CVE-2025-2690

Indicators of Compromise

  • Unusual serialized data patterns in HTTP requests targeting Yii2 application endpoints
  • Web server logs showing requests with base64-encoded or URL-encoded serialized PHP objects
  • Unexpected process executions or file system modifications originating from web application processes
  • Error logs containing deserialization-related exceptions or unexpected object instantiation attempts

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block serialized PHP object patterns in incoming requests
  • Monitor application logs for deserialization errors or unexpected class instantiation attempts
  • Deploy runtime application self-protection (RASP) solutions to detect object injection attempts
  • Utilize SentinelOne's behavioral AI to identify anomalous code execution patterns originating from PHP processes

Monitoring Recommendations

  • Enable verbose logging for the Yii2 framework to capture deserialization events
  • Monitor outbound network connections from web server processes for potential reverse shell indicators
  • Implement file integrity monitoring on critical application directories
  • Set up alerts for unexpected child processes spawned by PHP-FPM or Apache/Nginx workers

How to Mitigate CVE-2025-2690

Immediate Actions Required

  • Audit your Yii2 applications to identify if they use versions up to 2.0.39
  • Review application code for endpoints that may process user-controlled serialized data
  • Implement input validation and sanitization on all data that may be deserialized
  • Consider restricting access to development and testing endpoints that utilize PHPUnit MockObject functionality

Patch Information

Organizations should monitor yiisoft's official channels for security patches addressing this vulnerability. Review the VulDB #300711 for the latest advisory information and patch availability. It is recommended to upgrade to a patched version of Yii2 as soon as one becomes available.

Workarounds

  • Disable or remove PHPUnit components from production environments, as they are typically intended for development use only
  • Implement strict input validation to reject serialized data from untrusted sources
  • Use a whitelist approach for allowed classes during deserialization where possible
  • Deploy network segmentation to limit exposure of Yii2 applications to trusted networks only
  • Consider using PHP's unserialize() with the allowed_classes parameter set to false or a specific whitelist
bash
# Configuration example - Remove PHPUnit from production
# In your composer.json, ensure PHPUnit is in require-dev only
composer remove --dev phpunit/phpunit
composer install --no-dev --optimize-autoloader

# Verify PHPUnit is not present in production
find /var/www/html -name "MockClass.php" -path "*/phpunit/*" 2>/dev/null

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne