CVE-2022-41922 - yiisoft/yii (Yii 1.x) Remote Code Execution via unserialize() – Exploit Details and Fix

Summary:  
A serious security flaw, CVE-2022-41922, was identified in the popular PHP framework Yii 1.x (yiisoft/yii). If your application uses Yii before version 1.1.27 and unserializes data directly from user input, attackers can achieve Remote Code Execution (RCE) on your server. In this post, we’ll break down how the vulnerability works, show example code, provide links for further reading, and discuss how to fix and mitigate it.

What Is CVE-2022-41922?

CVE-2022-41922 is a vulnerability where an attacker can pass crafted serialized PHP objects to parts of a Yii application that call unserialize() on user-controlled data. This allows them to create PHP objects which trigger methods containing code execution payloads—often leading to full system compromise.

Official Links

- CVE Record - CVE-2022-41922
- GitHub security advisory for yii
- Yii release notes

Why Is unserialize() Dangerous?

The PHP function unserialize() is unsafe if you use it on data you do not fully trust. If you unserialize attacker-supplied data, malicious actors can take advantage of “magic methods” (like __wakeup or __destruct) within PHP classes to execute code on your server, read files, or escalate privileges.

Example of Vulnerable Code

// $data is received from user input (POST, GET, or cookies)
$userInput = $_POST['data'];
$obj = unserialize($userInput); // Vulnerable!

If $userInput comes directly from a web request, this code is at risk.

The attacker finds a part of your Yii application that unserializes user input.

2. The attacker creates a serialized payload that, when unserialized, will invoke a “magic method” (such as __destruct or __wakeup) in a class loaded by your application.

Suppose your application has this class

class FileDeleter {
    public $file = '/tmp/test.txt';
    
    function __destruct() {
        unlink($this->file);
    }
}

An attacker could send the following payload to delete any file

// On the attacker's machine
$payload = serialize(new FileDeleter());
$payload = str_replace('/tmp/test.txt', '/etc/passwd', $payload);
echo urlencode($payload);

Then, the attacker submits this payload to the vulnerable endpoint. When unserialize() processes it, /etc/passwd is deleted.

With more complex gadget chains (using popular classes already loaded in Yii or your app), the attacker can achieve full RCE.

The Yii team patched this issue in version 1.1.27. Download and update your application now

- Yii 1.1.27 Release

Upgrade command if using Composer

composer require yiisoft/yii:1.1.27

Do not do this

// BAD: Don't unserialize user input!
$data = unserialize($_POST['user_value']);

Instead, use safe encodings, such as JSON

// SAFER: Use json_decode for user-provided data
$data = json_decode($_POST['user_value'], true);

3. Audit Your Code

Search for “unserialize” in your codebase and look for any place it might be used with values from $_POST, $_GET, $_COOKIE, etc. Refactor those parts.

How Was it Patched?

The Yii developers made changes to warn or prevent unsafe unserialize usage and documented the issue in their release notes. But keep in mind, no framework can fully protect you if you write code that unserializes untrusted input!

References

- NIST CVE Database: CVE-2022-41922
- Yii 1.1.27 Release Notes
- PHP Manual: unserialize()

Conclusion

CVE-2022-41922 is straightforward but highly dangerous. Never trust external data—especially with unserialize!  
Upgrade Yii to 1.1.27 or higher, and double-check your code for unsafe unserialize usage today.

Timeline

Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/30/2022 13:44:00 UTC