yiisoft Yii2 Deserialization Vulnerability in PHPUnit MockClass Remote Code Execution

A critical deserialization vulnerability has been identified in yiisoft Yii2 versions through 2.0.39. The issue arises in the 'generate' function of 'phpunit\src\Framework\MockObject\MockClass.php', where untrusted data is deserialized without proper validation. This vulnerability can be exploited remotely, leading to arbitrary command execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the affected Yii2 version is running.

Reproduction

To reproduce this vulnerability, upload a crafted PHP object that exploits the deserialization flaw into an application running Yii2 version 2.0.39 or earlier. The object should be designed to execute arbitrary PHP code when the application deserializes it. Once the object is deserialized, the embedded code will be executed on the server.