What is CVE-2025-2690?

CVE-2025-2690 is a medium-severity vulnerability in Yiisoft Yii2, classified under Deserialization of Untrusted Data. CVSS score: 6.3/10. Published 2025-03-24.

How severe is CVE-2025-2690?

Medium severity. CVSS v3 base score is 6.3 out of 10.

Deserialization in Yiisoft Yii2

CVE-2025-2690

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is poss…

Vulnerability class: Insecure Deserialization

EPSS: 0.001 (24.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L.

Affected products

Yiisoft Yii2 — versions 2.0.0, 2.0.1, 2.0.2

Weakness classification (CWE)

References

VDB-300711 | yiisoft Yii2 MockClass.php generate deserialization (vdb-entry, technical-description)
VDB-300711 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
Submit #521718 | Yii Software LLC Yii 2.0 <=2.0.39 Deserialization (third-party-advisory)
github.com/gaorenyusi/gaorenyusi/blob/main/Yii2-2.md (exploit)

Frequently asked questions

What is CVE-2025-2690?: CVE-2025-2690 is a medium-severity vulnerability in Yiisoft Yii2, classified under Deserialization of Untrusted Data. CVSS score: 6.3/10. Published 2025-03-24.
How severe is CVE-2025-2690?: Medium severity. CVSS v3 base score is 6.3 out of 10.