#VU107992 Improper protection of alternate path in Yii - CVE-2024-58136
Published: April 28, 2025
Vulnerability identifier: #VU107992
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2024-58136
CWE-ID: CWE-424
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Yii
Yii
Software vendor:
Yii Software
Yii Software
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper protection of alternate path in framework/base/Component.php. A remote non-authenticated attacker can send a specially crafted request to the application and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild since February 2025.
Remediation
Install updates from vendor's website.
External links
- https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12
- https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52
- https://github.com/yiisoft/yii2/pull/20232
- https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709
- https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52