CVE-2024-4990: 
PHP vulnerability analysis and mitigation

In yiisoft/yii2 version 2.0.48, a critical vulnerability was discovered in the base Component class. The vulnerability was identified and assigned CVE-2024-4990, affecting the __set() magic method implementation. This security issue was reported through the huntr.dev platform and made public on March 20, 2025 (NVD).

The vulnerability stems from the __set() magic method's failure to validate whether the value passed is a valid Behavior class name or configuration. This implementation flaw received a CVSS v3.1 base score of 9.1 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, while huntr.dev assessed it with a score of 8.1 (HIGH) and vector string CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code) (NVD).

The vulnerability allows attackers to instantiate arbitrary classes, pass parameters to their constructors, and invoke setter methods. The potential impacts include execution of arbitrary code, retrieval of sensitive information, and unauthorized access, with the specific attack vectors depending on the installed dependencies (NVD).