Login Sign Up

CVE-2021-3689

7.5 HIGH
CSRF

📋 TL;DR

CVE-2021-3689 is a vulnerability in Yii2 PHP framework where predictable algorithms in random number generation could allow attackers to guess generated values like CSRF tokens or session IDs. This affects all Yii2 applications using the vulnerable random number generator. Attackers could potentially bypass security mechanisms that rely on randomness.

💻 Affected Systems

Products:
  • Yii2 PHP Framework
Versions: All versions before 2.0.43
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any Yii2 application using the framework's random number generation functions.

📦 What is this software?

Yii by Yiiframework

View all CVEs affecting Yii →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could predict CSRF tokens, session IDs, or cryptographic nonces, leading to CSRF attacks, session hijacking, or bypassing security controls that depend on randomness.

🟠

Likely Case

CSRF token prediction enabling cross-site request forgery attacks against authenticated users.

🟢

If Mitigated

Limited impact if additional security layers like proper session management and input validation are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of the predictable algorithm and ability to observe or predict generated values.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.43

Vendor Advisory: https://github.com/yiisoft/yii2/commit/13f27e4d920a05d53236139e8b07007acd046a46

Restart Required: No

Instructions:

1. Update Yii2 to version 2.0.43 or later via Composer: composer require yiisoft/yii2:"^2.0.43" 2. Run composer update 3. Clear any cached files if using caching mechanisms.

🔧 Temporary Workarounds

Override Random Generator

all

Manually override the random number generator with a cryptographically secure alternative

Implement custom random generator using PHP's random_bytes() or openssl_random_pseudo_bytes()

🧯 If You Can't Patch

  • Implement additional CSRF protection layers like double-submit cookies or custom token validation
  • Use external session management that doesn't rely on Yii2's random generation

🔍 How to Verify

Check if Vulnerable:

Check composer.json or Yii2 version: grep -r "yiisoft/yii2" composer.json

Check Version:

php -r "echo Yii::getVersion();" or check composer.lock for yiisoft/yii2 version

Verify Fix Applied:

Verify installed version is 2.0.43+: php -r "echo Yii::getVersion();"

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed CSRF token validations from same source
  • Unusual session creation patterns

Network Indicators:

  • Predictable token values in requests
  • Repeated requests with sequential token values

SIEM Query:

source="web_logs" AND (csrftoken MATCHES "predictable_pattern" OR sessionid SEQUENTIAL)

📊 Metadata

CVE ID: CVE-2021-3689
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-1241
Published: August 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3689, you might also want to check these:

CVE-2025-13079 5.3

This vulnerability allows unauthenticated attackers to unsubscribe arbitrary subscribers from mailin...

Same vulnerability type (CWE-1241)
CVE-2025-32056 4.0

This vulnerability allows attackers to bypass the anti-theft protection mechanism in Nissan Leaf veh...

Same vulnerability type (CWE-1241)