CVE-2025-2690

MEDIUM

Yii2 <2.0.39 - Deserialization

Title source: llm

Description

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

References (4)

[Exploit, Third Party Advisory] https://github.com/gaorenyusi/gaorenyusi/blob/main/Yii2-2.md

View Exploit ZIP pw:eip

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.300711

[Permissions Required, VDB Entry] https://vuldb.com/?id.300711

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.521718

Scores

CVSS v3 6.3

EPSS 0.0016

EPSS Percentile 36.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (1)

yiiframework/yii < 2.0.39

Timeline

Published Mar 24, 2025

Tracked Since Feb 18, 2026