CVE-2025-68455: Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
(updated )
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (5.6.0) version of Craft CMS.
Leveraging a legitimate but maliciously crafted Yii Behavior class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted Behavior is attached to a Yii Component, and an event is also fired on the tainted Component.
References
- github.com/advisories/GHSA-255j-qw47-wjh5
- github.com/craftcms/cms
- github.com/craftcms/cms/blob/5.x/CHANGELOG.md
- github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
- github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
- github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
- github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
- nvd.nist.gov/vuln/detail/CVE-2025-68455
Code Behaviors & Features
Detect and mitigate CVE-2025-68455 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →