CVE-2024-4990

9.10.29%

Magic Methods, Tragic Endings: RCE in Yii2 via Unsafe Reflection

Amit Schendel

Senior Security Researcher

Jan 7, 2026·5 min read·9 visits

Active Exploitation

Executive Summary (TL;DR)

Yii2's `__set()` magic method allows attaching 'Behaviors' (mixins) dynamically using keys starting with `as `. Due to missing type validation, an attacker can pass a class definition instead of a Behavior. The framework passes this definition to `Yii::createObject()`, allowing the instantiation of ANY class in the autoloader. This leads to RCE via destructor gadgets.

A critical unsafe reflection vulnerability in the Yii Framework 2 core component system allows attackers to execute arbitrary code by manipulating magic methods used for behavior attachment. By injecting a crafted payload into a model via mass assignment, attackers can trick the framework into instantiating arbitrary classes (like gadgets in Guzzle) leading to RCE.

Official Patches

YiiSoftPatch for CVE-2024-4990

YiiSoftAdvisory recommending upgrade to 2.0.52 to cover regressions

Fix Analysis (1)

Technical Appendix

CVSS Score

9.1/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.29%

Top 48% most exploited

Affected Systems

Yii Framework 2 (yiisoft/yii2) < 2.0.49.4Craft CMS (via underlying Yii2 dependency)HumHub (via underlying Yii2 dependency)Any PHP application using Yii2 components with mass assignment

Affected Versions Detail

Product	Affected Versions	Fixed Version
yiisoft/yii2 YiiSoft	< 2.0.49.4	2.0.49.4

Attribute	Detail
CWE	CWE-470 (Unsafe Reflection)
CVSS v3.1	9.1 (Critical)
Attack Vector	Network (POST/JSON)
Exploit Status	High (PoC Available & Bypass Active)
EPSS Score	0.29%
Related CVE	CVE-2024-58136 (Bypass)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1203Exploitation for Client Execution

Execution

CWE-470

Unsafe Reflection

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Known Exploits & Detection

HuntrOriginal report with PoC for Guzzle gadget exploitation

Vulnerability Timeline

Yii 2.0.49.4 released with initial fix

2024-06-04

CVE-2024-4990 Published

2025-03-20

Active exploitation of regression (CVE-2024-58136) detected

2025-02-01