What is CVE-2025-2689?

CVE-2025-2689 is a medium-severity vulnerability in Yiisoft Yii2, classified under Deserialization of Untrusted Data. CVSS score: 6.3/10. Published 2025-03-24.

How severe is CVE-2025-2689?

Medium severity. CVSS v3 base score is 6.3 out of 10.

Deserialization in Yiisoft Yii2

CVE-2025-2689

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserial…

Vulnerability class: Insecure Deserialization

EPSS: 0.001 (29.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L.

Affected products

Yiisoft Yii2 — versions 2.0.0, 2.0.1, 2.0.2

Weakness classification (CWE)

References

VDB-300710 | yiisoft Yii2 SortableIterator.php getIterator deserialization (vdb-entry, technical-description)
VDB-300710 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
Submit #521709 | Yii Software LLC Yii 2.0 <=2.0.45 RCE (third-party-advisory)
github.com/gaorenyusi/gaorenyusi/blob/main/Yii2.md (exploit)

Frequently asked questions

What is CVE-2025-2689?: CVE-2025-2689 is a medium-severity vulnerability in Yiisoft Yii2, classified under Deserialization of Untrusted Data. CVSS score: 6.3/10. Published 2025-03-24.
How severe is CVE-2025-2689?: Medium severity. CVSS v3 base score is 6.3 out of 10.