High severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025
Unsafe Reflection in base Component class in yiisoft/yii2
CVE-2024-4990
Description
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the __set() magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yii2Packagist | < 2.0.49.4 | 2.0.49.4 |
Affected products
1- Range: unspecified
Patches
262d081f18c36CVE-2024-32877, Fix Reflected XSS in Debug mode, CVE-2024-4990, Fix Unsafe Reflection in base Component class
4 files changed · +21 −6
framework/base/Component.php+9 −1 modified@@ -188,7 +188,15 @@ public function __set($name, $value) } elseif (strncmp($name, 'as ', 3) === 0) { // as behavior: attach behavior $name = trim(substr($name, 3)); - $this->attachBehavior($name, $value instanceof Behavior ? $value : Yii::createObject($value)); + if ($value instanceof Behavior) { + $this->attachBehavior($name, $value); + } elseif (isset($value['class']) && is_subclass_of($value['class'], 'yii\base\Behavior', true)) { + $this->attachBehavior($name, Yii::createObject($value)); + } elseif (is_string($value) && is_subclass_of($value, 'yii\base\Behavior', true)) { + $this->attachBehavior($name, Yii::createObject($value)); + } else { + throw new InvalidConfigException('Class is not of type yii\base\Behavior or its subclasses'); + } return; }
framework/CHANGELOG.md+7 −0 modified@@ -1,6 +1,13 @@ Yii Framework 2 Change Log ========================== +2.0.49.4 June 4, 2024 +--------------------- + +- Bug: CVE-2024-32877, Fix Reflected XSS in Debug mode (Antiphishing) +- Bug: CVE-2024-4990, Fix Unsafe Reflection in base Component class (@mtangoo) + + 2.0.49.3 October 31, 2023 -------------------------
framework/web/ErrorHandler.php+1 −1 modified@@ -180,7 +180,7 @@ protected function convertExceptionToArray($exception) */ public function htmlEncode($text) { - return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8'); + return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8'); } /**
tests/framework/web/ErrorHandlerTest.php+4 −4 modified@@ -85,19 +85,19 @@ public function dataHtmlEncode() return [ [ "a \t=<>&\"'\x80`\n", - "a \t=<>&\"'�`\n", + "a \t=<>&"'�`\n", ], [ '<b>test</b>', '<b>test</b>', ], [ '"hello"', - '"hello"', + '"hello"', ], [ "'hello world'", - "'hello world'", + "'hello world'", ], [ 'Chip&Dale', @@ -130,7 +130,7 @@ public function testHtmlEncodeWithUnicodeSequence() $handler = Yii::$app->getErrorHandler(); $text = "a \t=<>&\"'\x80\u{20bd}`\u{000a}\u{000c}\u{0000}"; - $expected = "a \t=<>&\"'�₽`\n\u{000c}\u{0000}"; + $expected = "a \t=<>&"'�₽`\n\u{000c}\u{0000}"; $this->assertSame($expected, $handler->htmlEncode($text)); }
628d406bfafbMerge pull request from GHSA-cjcc-p67m-7qxm
2 files changed · +11 −1
framework/base/Component.php+9 −1 modified@@ -189,7 +189,15 @@ public function __set($name, $value) } elseif (strncmp($name, 'as ', 3) === 0) { // as behavior: attach behavior $name = trim(substr($name, 3)); - $this->attachBehavior($name, $value instanceof Behavior ? $value : Yii::createObject($value)); + if ($value instanceof Behavior) { + $this->attachBehavior($name, $value); + } elseif (isset($value['class']) && is_subclass_of($value['class'], Behavior::class, true)) { + $this->attachBehavior($name, Yii::createObject($value)); + } elseif (is_string($value) && is_subclass_of($value, Behavior::class, true)) { + $this->attachBehavior($name, Yii::createObject($value)); + } else { + throw new InvalidConfigException('Class is not of type ' . Behavior::class . ' or its subclasses'); + } return; }
framework/CHANGELOG.md+2 −0 modified@@ -27,11 +27,13 @@ Yii Framework 2 Change Log - New #20137: Added `yii\caching\CallbackDependency` to allow using a callback to determine if a cache dependency is still valid (laxity7) - Enh #20134: Raise minimum `PHP` version to `7.3` (@terabytesoftw) - Bug #20141: Update `ezyang/htmlpurifier` dependency to version `4.17` (@terabytesoftw) +- CVE-2024-4990: Fix Unsafe Reflection in base Component class (@mtangoo) - Bug #19817: Add MySQL Query `addCheck()` and `dropCheck()` (@bobonov) - Bug #20165: Adjust pretty name of closures for PHP 8.4 compatibility (@staabm) - Bug #19855: Fixed `yii\validators\FileValidator` to not limit some of its rules only to array attribute (bizley) - Enh: #20171: Support JSON columns for MariaDB 10.4 or higher (@terabytesoftw) + 2.0.49.2 October 12, 2023 -------------------------
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-cjcc-p67m-7qxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-4990ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2024-4990.yamlghsaWEB
- github.com/yiisoft/yii2/blob/master/framework/CHANGELOG.mdghsaWEB
- github.com/yiisoft/yii2/commit/628d406bfafb80fc32147837888c0057d89a021eghsaWEB
- github.com/yiisoft/yii2/commit/62d081f18c3602d09e7d075bba3a0ca5c313f0b4ghsaWEB
- github.com/yiisoft/yii2/pull/20183ghsaWEB
- github.com/yiisoft/yii2/security/advisories/GHSA-cjcc-p67m-7qxmghsaWEB
- huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93415b8fghsaWEB
News mentions
0No linked articles in our index yet.