What is CVE-2024-4990?

A critical vulnerability in Yiisoft Yii Framework version 2.0.48 allows attackers to instantiate arbitrary classes via the `__set()` magic method. Organizations must prioritize patching to prevent potential exploitation.

What is the severity of CVE-2024-4990?

CVE-2024-4990 has a severity rating of CRITICAL with a CVSS base score of 9.1.

CVE-2024-4990 | Critical Vulnerability in Yiisoft Yii Framework

In Yiisoft Yii Framework version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This vulnerability allows attackers to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access.

The severity of this vulnerability is rated as critical, with a CVSS score of 9.1, indicating significant risk to organizations. The vulnerability is exploitable over a network with low attack complexity, requiring no privileges or user interaction, which makes it particularly dangerous.

Risk to organizations includes potential unauthorized access to sensitive data and execution of arbitrary code, which could lead to significant operational disruptions. Organizations should prioritize patching immediately to mitigate this risk.

Currently, there is no known public exploit for this vulnerability, but the nature of the vulnerability poses a real threat. Security teams must remain vigilant and implement appropriate mitigations.

Organizations should monitor their systems for unusual activity and apply updates as soon as they are available to minimize exposure to this vulnerability.

Vulnerability Details

The vulnerability allows attackers to exploit the `__set()` magic method in the Yii Framework, which does not perform proper validation. The official CVE description states that this issue can potentially lead to various attacks based on the context and installed dependencies.

The CVSS score of 9.1 categorizes this vulnerability as critical, indicating a severe risk to confidentiality, integrity, and availability of affected systems.

Technical Analysis

The root cause of this vulnerability lies in the failure to validate input in the `__set()` method, allowing for arbitrary class instantiation. The attack vector is network-based, with low complexity involved, meaning attackers can exploit it easily and remotely.

Since no privileges are required, and user interaction is not necessary, attackers can exploit this vulnerability without any special conditions. The potential impacts include high confidentiality and availability impacts, with no integrity impact.

Risk & Impact Analysis

The risk posed by CVE-2024-4990 is particularly significant as it allows for the execution of arbitrary code and unauthorized access to sensitive information. The blast radius could be extensive, especially for organizations utilizing the Yii Framework in critical applications.

Organizations need to assess their exposure and prioritize patching in their security management processes. Given the CVSS severity and potential for exploitation, immediate action is advised.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected version is Yiisoft Yii Framework 2.0.48. Organizations should upgrade to the latest version to mitigate this vulnerability.

Mitigation & Remediation

Organizations should apply the latest patches for the Yii Framework as soon as they are available. If no patch is available, consider implementing configuration hardening to limit the impact of this vulnerability.

Additionally, organizations may benefit from conducting a thorough security assessment, including application security assessments to identify potential vulnerabilities and ensure secure configurations.

Detection Guidance

Monitoring logs for unusual behavior will help in early detection of exploitation attempts. Organizations should focus on identifying anomalies, specifically related to unauthorized class instantiation or unexpected behavior in application components.

AppSecure Threat Intelligence Insight

The vulnerability in Yiisoft Yii Framework highlights a critical area of concern in application security. Organizations should take proactive steps to secure their applications against similar vulnerabilities.

As the threat landscape evolves, vulnerabilities like CVE-2024-4990 underscore the importance of continuous security testing and adaptation of security practices. Security teams can learn from this incident and enhance their defensive strategies.

For further insights on securing applications and preventing vulnerabilities, organizations can refer to the following resources: penetration testing methodology, vulnerability management program design, and API penetration testing guide to strengthen security postures.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2024-4990: Critical Vulnerability in Yiisoft Yii Framework