Urgent: Yii 2 Vulnerability CVE-2024-58136 Under Active Exploit - #CVE-2024-58136
A critical security vulnerability, CVE-2024-58136, has been identified in the Yii 2 PHP web application framework, affecting versions prior to 2.0.52. With a high CVSS score of 9.1, this flaw is a regression of a previously patched issue and involves the framework's Behavior system. The vulnerability stems from improper type and configuration checks in Yii's use of PHP's \_\_set() magic method and Yii::createObject() function, allowing attackers to instantiate arbitrary PHP classes with malicious arguments. This security breach has been actively exploited from February to April 2025, posing a significant threat to Yii 2 applications. The issue highlights the importance of rigorous security testing and prompt patching in web application frameworks. Developers and administrators are strongly advised to update to Yii 2.0.52 immediately to mitigate this serious security risk.