Unsafe deserialization in Yii 2
Description
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yii2 before 2.0.38 allows remote code execution via unserialize() on arbitrary user input.
Yii2 (yiisoft/yii2) versions prior to 2.0.38 are vulnerable to remote code execution when an application calls PHP's unserialize() on user-controlled data. The root cause is that the yii\db\BatchQueryResult class lacked a __wakeup() method, making it a gadget for deserialization attacks [1][2][3].
Attack exploitation requires that the application passes untrusted input to unserialize(). An attacker can craft a malicious serialized object that, upon deserialization, triggers code execution via available gadget chains within Yii2 or its dependencies [1][4].
Successful exploitation allows an attacker to execute arbitrary PHP code with the permissions of the web server, leading to full compromise of the application and potentially the server [3][4].
The vulnerability is fixed in Yii2 version 2.0.38, which adds a __wakeup() method that throws an exception to prevent unserialization of BatchQueryResult. A workaround without upgrading is also available as detailed in the advisory [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yii2Packagist | < 2.0.38 | 2.0.38 |
Affected products
2- yiisoft/yii2v5Range: < 2.0.38
Patches
19abccb96d7c5Merge pull request from GHSA-699q-wcff-g9mj
2 files changed · +12 −0
framework/CHANGELOG.md+1 −0 modified@@ -4,6 +4,7 @@ Yii Framework 2 Change Log 2.0.38 under development ------------------------ +- Bug: (CVE-2020-15148): Disable unserialization of `yii\db\BatchQueryResult` to prevent remote code execution in case application calls unserialize() on user input containing specially crafted string (samdark, russtone) - Enh #18213: Do not load fixtures with circular dependencies twice instead of throwing an exception (JesseHines0) - Bug #18066: Fix `yii\db\Query::create()` wasn't using all info from `withQuery()` (maximkou) - Bug #18269: Fix integer safe attribute to work properly in `yii\base\Model` (Ladone)
framework/db/BatchQueryResult.php+11 −0 modified@@ -223,4 +223,15 @@ private function getDbDriverName() return null; } + + /** + * Unserialization is disabled to prevent remote code execution in case application + * calls unserialize() on user input containing specially crafted string. + * @see CVE-2020-15148 + * @since 2.0.38 + */ + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-699q-wcff-g9mjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15148ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2020-15148.yamlghsaWEB
- github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99ghsax_refsource_MISCWEB
- github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mjghsax_refsource_CONFIRMWEB
- www.yiiframework.com/news/303/yii-2-0-38ghsaWEB
News mentions
0No linked articles in our index yet.