CVE-2024-58136

Name of the Vulnerable Software and Affected Versions Yii 2 versions prior to 2.0.52

Description The issue arises from the mishandling of behavior attachment, specifically when behaviors are defined by a class array key. This has been exploited in the wild, with approximately 13,000 vulnerable instances and around 300 already compromised. Attackers are chaining flaws to breach servers and deploy malicious scripts. The vulnerability has been actively exploited since at least February 2025.

Recommendations For versions prior to 2.0.52, patch immediately to a version that contains the fix for this issue. As a temporary workaround, consider disabling the attachment of behaviors defined by a class array key until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. Avoid using the class array key in behavior definitions until the issue is resolved.