GHSA-ggwg-cmwp-46r5

Source

https://github.com/advisories/GHSA-ggwg-cmwp-46r5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ggwg-cmwp-46r5/GHSA-ggwg-cmwp-46r5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ggwg-cmwp-46r5

Aliases

CVE-2024-58136

Published

2025-04-10T03:31:32Z

Modified

2025-10-22T19:53:03.520505Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H CVSS Calculator

Summary

yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key

Details

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

Database specific

{
    "nvd_published_at": "2025-04-10T03:15:17Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-424"
    ],
    "github_reviewed_at": "2025-04-10T20:26:18Z",
    "github_reviewed": true
}

References

Affected packages

Packagist / yiisoft/yii2

Package

Name: yiisoft/yii2
Purl: pkg:composer/yiisoft/yii2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.52

Affected versions

2.*

2.0.0-alpha

2.0.0-beta

2.0.0-rc

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.11.1

2.0.11.2

2.0.12

2.0.12.1

2.0.12.2

2.0.13

2.0.13.1

2.0.13.2

2.0.13.3

2.0.14

2.0.14.1

2.0.14.2

2.0.15

2.0.15.1

2.0.16

2.0.16.1

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.39.1

2.0.39.2

2.0.39.3

2.0.40

2.0.41

2.0.41.1

2.0.42

2.0.42.1

2.0.43

2.0.44

2.0.45

2.0.46

2.0.47

2.0.48

2.0.48.1

2.0.49

2.0.49.1

2.0.49.2

2.0.49.3

2.0.49.4

2.0.50

2.0.51