GHSA-88m2-j94x-v4fx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-88m2-j94x-v4fx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-88m2-j94x-v4fx/GHSA-88m2-j94x-v4fx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-88m2-j94x-v4fx
- Aliases
- Published
- 2025-03-24T09:34:03Z
- Modified
- 2025-03-24T22:18:41.871521Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- yiisoft Yii2 Deserialization of Untrusted Data
- Details
-
A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
- Database specific
{ "nvd_published_at": "2025-03-24T07:15:14Z", "cwe_ids": [ "CWE-20", "CWE-502" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-24T21:31:19Z" }- References
Affected packages
Packagist / yiisoft/yii2-dev
Package
- Name
- yiisoft/yii2-dev
- Purl
- pkg:composer/yiisoft/yii2-dev
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected2.0.45
Affected versions
2.*
2.0.0-alpha
2.0.0-beta
2.0.0-rc
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.11.1
2.0.11.2
2.0.12
2.0.12.1
2.0.12.2
2.0.13
2.0.13.1
2.0.13.2
2.0.13.3
2.0.14
2.0.14.1
2.0.14.2
2.0.15
2.0.15.1
2.0.16
2.0.16.1
2.0.17
2.0.18
2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.39.1
2.0.39.2
2.0.39.3
2.0.40
2.0.41
2.0.41.1
2.0.42
2.0.42.1
2.0.43
2.0.44
2.0.45