CVE-2020-36655 in Yii2 Gii
Summary
by MITRE • 01/21/2023
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/02/2025
The vulnerability identified as CVE-2020-36655 affects the Yii2 Gii code generation tool version 2.2.2 and earlier, representing a critical remote code execution flaw that enables attackers to inject malicious PHP code into generated model files. This vulnerability resides within the Generator.php component's messageCategory field handling, where insufficient input validation allows crafted payloads to be executed during the code generation process. The flaw specifically impacts developers who utilize Gii's code generation capabilities, particularly when generating model files that incorporate user-supplied data into the messageCategory parameter.
The technical implementation of this vulnerability stems from inadequate sanitization of user input within the Gii generator's messageCategory field. When developers use Gii to generate models, the tool processes various parameters including messageCategory which is intended to specify message category names for internationalization. However, the validation mechanism fails to properly sanitize this input, allowing attackers to inject PHP code that gets executed during the model generation process. This creates a classic server-side code injection vulnerability where malicious code becomes embedded in the generated files and subsequently executed when the application processes these files.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with complete control over the affected application's environment. Once exploited, attackers can execute arbitrary commands on the server, potentially leading to data breaches, system compromise, or further lateral movement within the network. The vulnerability is particularly dangerous because it operates during the development phase when Gii is typically enabled, making it accessible to attackers who can leverage legitimate development tools to gain unauthorized access. This represents a significant risk for organizations where development environments are not properly isolated from production systems.
Security professionals should consider this vulnerability in the context of CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" as the underlying weakness. The flaw aligns with ATT&CK technique T1190 "Exploit Public-Facing Application" as it allows remote exploitation of a publicly accessible development tool. Organizations should implement immediate mitigations including upgrading to Yii2 Gii version 2.2.2 or later, which contains the necessary patches to address the input validation issues. Additionally, security teams should review and restrict access to development environments, implement proper network segmentation, and consider disabling Gii in production environments to minimize exposure. The vulnerability demonstrates the importance of validating all user inputs in development tools and highlights the critical need for proper input sanitization in code generation utilities that may be exposed to untrusted data sources.