CVE-2024-58136 — yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array K

Description

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

How to fix CVE-2024-58136

To remediate CVE-2024-58136, upgrade the affected package to a fixed version below.

—upgrade to 2.0.52 or later

Is CVE-2024-58136 being exploited?

Yes — CVE-2024-58136 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

from 0, < 2.0.52

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-58136
PATCHgithub.com/yiisoft/yii2
WEBgithub.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12
WEBgithub.com/yiisoft/yii2/compare/2.0.51...2.0.52
WEB