CVE-2024-58136: 
Yii vulnerability analysis and mitigation

A critical security vulnerability (CVE-2024-58136) has been identified in Yii 2 versions prior to 2.0.52. The vulnerability is a regression of CVE-2024-4990, affecting the framework's behavior attachment system that mishandles the attaching of behavior defined by an __class array key. This vulnerability has been actively exploited in the wild between February and April 2025 (Security Online, NVD).

The vulnerability stems from improper handling of behavior attachments in Yii's Component system. When behaviors are assigned using the 'as behaviorName' => [...] syntax, the framework internally uses PHP's __set() method. The issue occurs when the value passed to this method is not properly validated before being processed by Yii::createObject(). The vulnerability has received a CVSS v3.1 score of 9.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to instantiate arbitrary PHP classes, feed them malicious constructor arguments, and invoke setter methods through unsafe reflection. This could potentially lead to complete compromise of Yii-powered applications (Security Online).

Users are strongly advised to upgrade to Yii version 2.0.52, which contains the complete fix for this vulnerability. The issue was initially addressed but had a regression that required additional patches (Yii Framework).