CVE-2024-58136

What is the Yii PHP Framework?

Yii is an open-source PHP framework used to build web applications — popular for its performance, extensibility, and Convention over Configuration approach. Major applications built on Yii include Craft CMS (the popular content management system, see CVE-2024-56145 and CVE-2025-23209) and various enterprise PHP applications. Yii's routing and request handling logic forms the security-critical core of applications built on it — vulnerabilities in Yii's route processing can affect any application using the framework.

Overview

CVE-2024-58136 is an improper protection of alternate path vulnerability (CWE-424) in the Yii PHP framework that allows a remote unauthenticated attacker to bypass route access controls and execute application code through alternate URL paths that should be protected. The Changed scope (S:C) reflects that this Yii vulnerability affects all applications built on Yii — including Craft CMS, specifically referenced in CISA's advisory notes (the stub mentions: "This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432").

Affected Versions

Applications built on Yii (Craft CMS, etc.) must upgrade their bundled Yii version or ensure their framework version is 2.0.52+.

Technical Details

The improper protection of alternate path (CWE-424) vulnerability is in Yii's request routing and controller access control mechanism. Yii's router maps incoming HTTP request paths to controller/action pairs. The vulnerability allows an attacker to supply an alternate path format or encoding that the access control layer does not recognize as equivalent to a protected path — allowing the request to reach a protected controller action without triggering access control checks.

Application impact: Applications built on Yii that implement route-level access controls may have those controls bypassed for any protected action. Depending on what those protected actions do (form submission, file upload, admin functionality), the bypass enables various attacks up to and including remote code execution in applications where protected actions execute powerful operations.

Craft CMS connection: Craft CMS uses Yii as its underlying framework. CVE-2024-58136 is the Yii-level vulnerability; CVE-2025-32432 is the specific Craft CMS manifestation of how the Yii bypass enables Craft-specific RCE.

Exploitation Context

CISA added CVE-2024-58136 to the KEV catalog on May 2, 2025, citing confirmed exploitation in web applications built on Yii — particularly in the context of Craft CMS installations. The High attack complexity (AC:H) reflects that the bypass requires specific alternate path crafting knowledge, but this knowledge was clearly available to threat actors exploiting Craft CMS deployments.

Remediation

1. Upgrade Yii Framework to 2.0.52 or later in all applications that use it.
2. Upgrade Craft CMS to a version that bundles Yii 2.0.52+ — check your Craft version's bundled Yii version.
3. Apply web application firewall rules to block anomalous URL path encodings as a defense-in-depth measure.
4. Audit access control logs for requests to protected controller paths from unexpected sources around the April–May 2025 period.
5. Review all Yii-based applications in your environment — not just Craft CMS — for this vulnerability class.