DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2024-4990: Magic Methods, Tragic Endings: RCE in Yii2 via Unsafe Reflection

#security #cve #cybersecurity

Magic Methods, Tragic Endings: RCE in Yii2 via Unsafe Reflection

Vulnerability ID: CVE-2024-4990
CVSS Score: 9.1
Published: 2025-03-20

A critical unsafe reflection vulnerability in the Yii Framework 2 core component system allows attackers to execute arbitrary code by manipulating magic methods used for behavior attachment. By injecting a crafted payload into a model via mass assignment, attackers can trick the framework into instantiating arbitrary classes (like gadgets in Guzzle) leading to RCE.

TL;DR

Yii2's __set() magic method allows attaching 'Behaviors' (mixins) dynamically using keys starting with as. Due to missing type validation, an attacker can pass a class definition instead of a Behavior. The framework passes this definition to Yii::createObject(), allowing the instantiation of ANY class in the autoloader. This leads to RCE via destructor gadgets.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE: CWE-470 (Unsafe Reflection)
  • CVSS v3.1: 9.1 (Critical)
  • Attack Vector: Network (POST/JSON)
  • Exploit Status: High (PoC Available & Bypass Active)
  • EPSS Score: 0.29%
  • Related CVE: CVE-2024-58136 (Bypass)

Affected Systems

  • Yii Framework 2 (yiisoft/yii2) < 2.0.49.4
  • Craft CMS (via underlying Yii2 dependency)
  • HumHub (via underlying Yii2 dependency)
  • Any PHP application using Yii2 components with mass assignment
  • yiisoft/yii2: < 2.0.49.4 (Fixed in: 2.0.49.4)

Code Analysis

Commit: 62d081f

Fix unsafe reflection in Component::__set by validating class types

- $this->attachBehavior($name, $value instanceof Behavior ? $value : Yii::createObject($value));
+ if ($value instanceof Behavior) {
+    $this->attachBehavior($name, $value);
+ } elseif (isset($value['class']) && is_subclass_of($value['class'], 'yii\base\Behavior', true)) {
+    $this->attachBehavior($name, Yii::createObject($value));
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Huntr: Original report with PoC for Guzzle gadget exploitation

Mitigation Strategies

  • Update Yii2 Framework immediately.
  • Filter input strictly before passing to model loading.
  • Disable the 'as ' magic behavior if not needed.

Remediation Steps:

  1. Run composer update yiisoft/yii2 to upgrade to version 2.0.52 or higher. (Note: 2.0.49.4 fixed the original CVE, but 2.0.52 fixes the regression bypass CVE-2024-58136).
  2. Audit code for usages of $model->load($_POST) or $model->setAttributes($_POST).
  3. Ensure all models define safe validation rules and strictly define which attributes can be mass-assigned.
  4. If you cannot upgrade immediately, implement a __set override in a base Component class to throw an exception if the property name starts with as and the value is an array.

References

Read the full report for CVE-2024-4990 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)