CVE-2024-4990 – This vulnerability in Yii2's Component class al... (How to Fix)

Q: What is the severity of CVE-2024-4990?

CVE-2024-4990 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Yii2's Component class allows attackers to instantiate arbitrary classes and call their methods by manipulating behavior assignments. Any application using Yii2 version 2.0.48 is affected, potentially leading to remote code execution, data theft, or privilege escalation.

📋 TL;DR

This vulnerability in Yii2's Component class allows attackers to instantiate arbitrary classes and call their methods by manipulating behavior assignments. Any application using Yii2 version 2.0.48 is affected, potentially leading to remote code execution, data theft, or privilege escalation.

💻 Affected Systems

Products:

yiisoft/yii2

Versions: Version 2.0.48 only

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the Component class with behavior assignments. Requires PHP environment with Yii2 2.0.48.

📦 What is this software?

Yii by Yiiframework

View all CVEs affecting Yii →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized access to sensitive data, privilege escalation, or denial of service through arbitrary class instantiation.

🟢

If Mitigated

Limited impact with proper input validation and behavior restrictions, potentially only causing application errors.

🌐 Internet-Facing: HIGH - Web applications using Yii2 are directly exposed to exploitation via HTTP requests.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require network access or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires finding endpoints that accept user input for behavior assignments. Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.49

Vendor Advisory: https://www.yiiframework.com/news

Restart Required: No

Instructions:

1. Update composer.json to require 'yiisoft/yii2': '^2.0.49'. 2. Run 'composer update yiisoft/yii2'. 3. Verify update with 'composer show yiisoft/yii2'.

🔧 Temporary Workarounds

Input Validation for Behavior Assignments

all

Add validation to ensure only allowed behavior classes can be assigned through user input.

Restrict Behavior Configuration

all

Override __set() method in custom components to validate behavior class names before assignment.

🧯 If You Can't Patch

Implement strict input validation for all user-controlled behavior assignments.
Use web application firewall rules to block suspicious behavior configuration patterns.

🔍 How to Verify

Check if Vulnerable:

Check composer.lock or run 'composer show yiisoft/yii2' to see if version is 2.0.48.

Check Version:

composer show yiisoft/yii2 | grep versions

Verify Fix Applied:

Confirm version is 2.0.49 or higher with 'composer show yiisoft/yii2'.

📡 Detection & Monitoring

Log Indicators:

Unusual class instantiation errors
Unexpected behavior configuration attempts in application logs

Network Indicators:

HTTP requests with suspicious behavior parameter values
Unusual POST data patterns

SIEM Query:

source='web_logs' AND (message LIKE '%behavior%' OR message LIKE '%__set%') AND status_code=500

📊 Metadata

CVE ID: CVE-2024-4990

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-470

EPSS Score: 0.24% exploit probability (46.6th percentile)

Published: March 20, 2025

Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4990, you might also want to check these: