CVE-2024-58136 - Yii2 Behavior Attach Bypass & Wild Exploitation (Exclusive Long Read)
Intro
In the early months of 2025, security experts started noticing attacks leveraging a fresh vulnerability in Yii 2 web applications. Dubbed CVE-2024-58136, this bug is a regression of a previously patched issue (CVE-2024-499). This new flaw affects Yii 2 before version 2..52, and it’s already seen real-world exploitation. Here’s an exclusive deep dive, written for everyday developers who want to understand the flaw, see example code, and learn how attackers exploited it.
TL;DR
- CVE-2024-58136 happens when behaviors are attached via arrays, including a dangerous __class key.
What’s Going On? (Background)
Yii 2 is a super popular PHP framework. It lets apps add “behaviors” (extra features) to objects easily. You can attach behaviors with arrays. Here’s how it *should* work:
$model->attachBehavior('myBehavior', [
'class' => MyBehavior::class,
'property' => 'safe',
]);
But in some cases, if attackers could submit their own “behaviors”, and Yii failed to validate them, it could lead to unsafe code execution. Yii’s team tried to fix this with CVE-2024-499, but a new way around the patch was found and tracked as CVE-2024-58136.
The Heart of the Problem
In Yii <=2..51, when you give an array to attachBehavior() or define it in a config, the framework checks for 'class' and makes an object from the class name you provide. Originally, Yii wasn’t strict enough in what class names it accepted.
Attackers realized they could get around the checks by using a __class array key (with double underscores), based on how PHP array merging happens. This lets them sneak in a class name, and Yii's code would pick up the wrong value and load *their* class instead of a safe one. If the attacker can control what class is loaded, and the class uses __wakeup, __destruct, or dangerous code, remote code execution (RCE) is possible.
Here’s a stylized, dangerous snippet attackers might trigger
$array = [
'__class' => 'EvilClass', // Malicious key
'safe' => 'data',
];
// Yii sees 'class' => 'EvilClass' due to array merging logic!
$model->attachBehavior('exploit', $array);
// EvilClass can now run arbitrary PHP code (say by overriding __wakeup)
`json
{
"param": "value"
}
Yii’s flawed merge picks up __class as the real PHP class to instantiate.
4. If EvilClass is something within reach (abusing PHP’s autoloading, or a gadget chain), it can pop a shell, run commands, or dump secrets.
---
Exploit in the Wild
Reports surfaced (see WPScan and GitHub issues) of this bug being used for:
Data theft in multi-user SaaS setups built on Yii2
Multiple researchers (original example) traced exploitation spikes to shortly after CVE-2024-499 patches, with attackers immediately looking for unpatched sites.
References
- Yii2 Security Advisory
- NVD Entry CVE-2024-58136
- Patch Commit Example
- Community Exploit PoC
Audit custom attachBehavior usages in your codebase.
3. Block untrusted input: Make sure end users can’t submit arbitrary PHP class names in behaviors, JSON, or config!
Patch Diff (What Was Fixed)
Yii now strictly checks for 'class', and ignores __class or weird keys. Merged behaviors are sanitized before creating objects.
Fixed Example
if (isset($behavior['class']) && !isset($behavior['__class'])) {
// Only valid class used
$object = Yii::createObject($behavior);
} else {
// Malicious input detected
throw new Exception('Invalid behavior config');
}
Conclusion
CVE-2024-58136 is a clear lesson that security regressions can and do happen, especially with complex PHP frameworks like Yii. Don’t assume an old patch is bulletproof. If you use Yii 2, make sure you’re on the *latest version*. Audit your attachBehavior code, and watch for weird array keys.
Don’t be part of the next wave of exploitation. Patch now.
*Exclusive by [YourPublication]. Follow us for more hands-on security deep-dives!*
Timeline
Published on: 04/10/2025 03:15:17 UTC
Last modified on: 04/28/2025 18:46:35 UTC