CVE-2025-2689

Summary

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Affected Software

VendorProductVersion RangeStatus
yiisoftYii22.0.0affected
yiisoftYii22.0.1affected
yiisoftYii22.0.2affected
yiisoftYii22.0.3affected
yiisoftYii22.0.4affected
yiisoftYii22.0.5affected
yiisoftYii22.0.6affected
yiisoftYii22.0.7affected
yiisoftYii22.0.8affected
yiisoftYii22.0.9affected
yiisoftYii22.0.10affected
yiisoftYii22.0.11affected
yiisoftYii22.0.12affected
yiisoftYii22.0.13affected
yiisoftYii22.0.14affected
yiisoftYii22.0.15affected
yiisoftYii22.0.16affected
yiisoftYii22.0.17affected
yiisoftYii22.0.18affected
yiisoftYii22.0.19affected
yiisoftYii22.0.20affected
yiisoftYii22.0.21affected
yiisoftYii22.0.22affected
yiisoftYii22.0.23affected
yiisoftYii22.0.24affected
yiisoftYii22.0.25affected
yiisoftYii22.0.26affected
yiisoftYii22.0.27affected
yiisoftYii22.0.28affected
yiisoftYii22.0.29affected
yiisoftYii22.0.30affected
yiisoftYii22.0.31affected
yiisoftYii22.0.32affected
yiisoftYii22.0.33affected
yiisoftYii22.0.34affected
yiisoftYii22.0.35affected
yiisoftYii22.0.36affected
yiisoftYii22.0.37affected
yiisoftYii22.0.38affected
yiisoftYii22.0.39affected
yiisoftYii22.0.40affected
yiisoftYii22.0.41affected
yiisoftYii22.0.42affected
yiisoftYii22.0.43affected
yiisoftYii22.0.44affected
yiisoftYii22.0.45affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References