CVE-2025-2689: yiisoft Yii2 Deserialization of Untrusted Data

March 24, 2025

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

References

github.com/advisories/GHSA-88m2-j94x-v4fx
github.com/gaorenyusi/gaorenyusi/blob/main/Yii2.md
github.com/yiisoft/yii2
nvd.nist.gov/vuln/detail/CVE-2025-2689
vuldb.com/?ctiid.300710
vuldb.com/?id.300710
vuldb.com/?submit.521709

Code Behaviors & Features

Detect and mitigate CVE-2025-2689 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →