Craft CMS Authenticated RCE via Yii2 Behavior Injection

Craft CMS is built on top of the Yii2 PHP framework, which utilizes a powerful component-based architecture. A core feature of Yii2 is its dependency injection container and configuration system, where objects extending yii\base\Component can be initialized using configuration arrays. These arrays support 'magic' keys that dictate how the object is constructed.

Two specific keys are critical to this vulnerability: as <behaviorName> and on <eventName>. The as key allows developers to dynamically attach 'Behaviors'—classes that inject methods and properties into the component. The on key binds event handlers to the component. While powerful for developers, these features present a significant attack surface if user-controlled input allows the injection of these keys. An attacker can use them to attach arbitrary classes or trigger execution flows that were not intended by the application logic.

To mitigate this, Craft CMS implements a cleanseConfig() method designed to strip these dangerous keys from user input. However, the effectiveness of this sanitization depends entirely on when it is applied in the request lifecycle relative to data merging.

The vulnerability lies in the src/controllers/FieldsController.php file, specifically within the actionSaveFieldLayout method (and similar endpoints handling layout settings). The application processes configuration data sent via POST requests to update field layouts. The root cause is a logic error in the order of operations regarding input sanitization.

The application correctly identified the need to sanitize the primary configuration array using Component::cleanseConfig(), which removes keys starting with as or on . However, after this sanitization step, the code retrieved an additional settings parameter from the request, decoded it from JSON, and merged it into the already-cleansed configuration array.

Because the merge occurred post-sanitization, the settings array could reintroduce the forbidden as and on keys. When the resulting array was subsequently used to instantiate or configure a component, Yii2 processed these keys, initializing the attacker-defined behaviors. This creates a classic 'Time-of-Check to Time-of-Use' (TOCTOU) style flaw where the data is validated (cleansed) and then modified (merged) before use.

The following code comparison illustrates the vulnerability in src/controllers/FieldsController.php. In the vulnerable version, the cleanseConfig call happens before the user-supplied $settings are merged into the config.

Vulnerable Code (Simplified):

// 1. Primary config is sanitized
$config = Component::cleanseConfig($config);
 
// 2. User-supplied 'settings' are retrieved
$settings = $this->request->getBodyParam('settings');
 
// 3. Settings are merged into the CLEAN config (VULNERABILITY)
// Malicious 'as' or 'on' keys in $settings bypass step 1
if ($settings) {
    $config = array_merge($config, $settings);
}
 
// 4. Component is created with tainted config
$field = Craft::createObject($config);

Patched Code:

The fix involves ensuring that cleanseConfig is the final step before object creation. The patch moves the sanitization call to after all merging operations are complete.

$settings = $this->request->getBodyParam('settings');
 
if ($settings) {
    $config = array_merge($config, $settings);
}
 
// FIX: Sanitize AFTER merging all user input
$config = Component::cleanseConfig($config);
 
$field = Craft::createObject($config);

By moving the sanitization call to the end of the preparation block, the developers ensure that no matter what data is merged from the request parameters, the dangerous as and on keys are stripped before the Yii2 factory processes the array.

To exploit this vulnerability, an attacker requires authentication to the Craft CMS Control Panel with permissions to access field layout settings. The attack leverages a specific gadget class available in the Yii2 framework: yii\behaviors\AttributeTypecastBehavior.

The attacker constructs a JSON payload targeting the settings parameter. The payload does two things: it attaches the AttributeTypecastBehavior and configures it to execute a system command. The AttributeTypecastBehavior class has a property typecastBeforeSave which accepts a callable. By binding the behavior's execution to a wildcard event (*), the attacker forces the callable to execute immediately upon component activity.

Payload Structure:

1. as rce: Attaches yii\behaviors\AttributeTypecastBehavior.
2. attributeTypes: Maps a dummy attribute to the PHP function exec (or similar).
3. typecastBeforeSave: Provides the arguments for the command (e.g., touch /tmp/pwned).
4. on *: Triggers the beforeSave event handler of the behavior on any event.

When the server processes the apply-layout-element-settings action, it instantiates the component. The Yii2 framework sees the as key, attaches the behavior, and due to the on key, triggers the behavior's methods, resulting in the execution of the PHP callable defined in the payload.

The successful exploitation of CVE-2025-68455 results in Remote Code Execution (RCE) in the context of the web server user (typically www-data). Although authentication is required, the risk remains high for several reasons.

First, in many organizations, 'Administrator' access to a CMS is not equivalent to full server root access. This vulnerability bridges that gap, allowing a CMS admin to pivot to the underlying operating system, potentially accessing other applications, database credentials, or environment variables stored on the server.

Second, this vulnerability allows for the installation of persistent backdoors. An attacker could modify the CMS source code or drop web shells that persist even if the CMS credentials are later changed. The vulnerability has a CVSS v3.1 score of 7.2 (High) and a CVSS v4.0 score of 8.6, reflecting the severity of the impact despite the privilege requirement.