CVE-2024-58136

Published: Apr 10, 2025Modified: Nov 5, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

Affected (1)

Products: Yiiframework: Yii

Yiiframework

1 product

Yii

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yiiframework Yii	Before 2.0.52

Related CWEs

CWE-424

Improper Protection of Alternate Path

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

References (7)

https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12

Source: cve@mitre.org

Patch

https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52

Source: cve@mitre.org

Issue Tracking

https://github.com/yiisoft/yii2/pull/20232

Source: cve@mitre.org

Patch

https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709

Source: cve@mitre.org

Issue Tracking

https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52

Source: cve@mitre.org

Vendor Advisory

https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.