CVE-2025-2689 – yiisoft/yii2-dev

Package

Manager: composer
Name: yiisoft/yii2-dev
Vulnerable Version: >=0 <=2.0.45

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00108 pctl0.29698

Details

yiisoft Yii2 Deserialization of Untrusted Data A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Metadata

Created: 2025-03-24T09:34:03Z
Modified: 2025-03-24T21:31:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-88m2-j94x-v4fx/GHSA-88m2-j94x-v4fx.json
CWE IDs: ["CWE-20", "CWE-502"]
Alternative ID: GHSA-88m2-j94x-v4fx
Finding: F096
Auto approve: 1