Critical severityCISA KEVNVD Advisory· Published Apr 10, 2025· Updated Oct 21, 2025

CVE-2024-58136

Description

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
yiisoft/yii2Packagist	< 2.0.52	2.0.52

Affected products

yiiframework/Yiiv5
Range: 2

Patches

40fe496eda52

Fix regression introduced in `GHSA-cjcc-p67m-7qxm` while attaching behavior defined by `__class` array key

https://github.com/yiisoft/yii2ErickSkrauchJul 24, 2024via ghsa

commit

3 files changed · +5 −3

framework/base/Component.php+1 −1 modified

@@ -190,7 +190,7 @@ public function __set($name, $value)
             $name = trim(substr($name, 3));
             if ($value instanceof Behavior) {
                 $this->attachBehavior($name, $value);
-            } elseif (isset($value['class']) && is_subclass_of($value['class'], Behavior::class, true)) {
+            } elseif ((isset($value['class']) && is_subclass_of($value['class'], Behavior::class)) || (isset($value['__class']) && is_subclass_of($value['__class'], Behavior::class))) {
                 $this->attachBehavior($name, Yii::createObject($value));
             } elseif (is_string($value) && is_subclass_of($value, Behavior::class, true)) {
                 $this->attachBehavior($name, Yii::createObject($value));

framework/CHANGELOG.md+1 −2 modified

@@ -4,8 +4,7 @@ Yii Framework 2 Change Log
 2.0.52 under development
 ------------------------
 
-- no changes in this release.
-
+- Bug #20232: Fix regression introduced in `GHSA-cjcc-p67m-7qxm` while attaching behavior defined by `__class` array key (erickskrauch)
 
 2.0.51 July 18, 2024
 --------------------

tests/framework/base/ComponentTest.php+3 −0 modified

@@ -341,6 +341,9 @@ public function testAttachBehavior()
         $this->assertTrue($component->hasProperty('p'));
         $component->test();
         $this->assertTrue($component->behaviorCalled);
+
+        $component->{'as c'} = ['__class' => NewBehavior::class];
+        $this->assertNotNull($component->getBehavior('c'));
     }
 
     public function testAttachBehaviors()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-ggwg-cmwp-46r5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-58136ghsaADVISORY
github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12ghsaWEB
github.com/yiisoft/yii2/compare/2.0.51...2.0.52ghsaWEB
github.com/yiisoft/yii2/pull/20232ghsaWEB
github.com/yiisoft/yii2/pull/20232ghsaWEB
sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcmsghsaWEB
www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.046
exploit	0.000
kev	0.120
patch	-0.070
ransomware	0.000