The default queue serializer is yii\queue\serializers\PhpSerializer, which uses PHP serialization for job payloads. This is expected for trusted Yii/PHP producers and trusted queue backends, but the trust boundary is easy to miss.
If an application allows untrusted or semi-trusted producers to write jobs, or if queue storage is shared with systems outside the application trust boundary, the default PHP serializer is not appropriate. Workers deserialize queued payloads before validating that the result is a JobInterface instance, so arbitrary raw queue messages must be treated as trusted input.
Suggested action:
- Document that the default PHP serializer assumes trusted producers and trusted queue storage.
- Recommend
yii\queue\serializers\JsonSerializer or a custom serializer for queues that receive jobs from non-PHP, third-party, or otherwise less trusted producers.
- Mention that queue backends such as Redis, DB, AMQP, file storage, SQS, etc. should not be writable by untrusted actors when using the default serializer.
- Consider whether a future major version should use a safer default or require an explicit opt-in for PHP serialization.
This is intended as public hardening/documentation work, not as a report of a default remotely exploitable issue.
The default queue serializer is
yii\queue\serializers\PhpSerializer, which uses PHP serialization for job payloads. This is expected for trusted Yii/PHP producers and trusted queue backends, but the trust boundary is easy to miss.If an application allows untrusted or semi-trusted producers to write jobs, or if queue storage is shared with systems outside the application trust boundary, the default PHP serializer is not appropriate. Workers deserialize queued payloads before validating that the result is a
JobInterfaceinstance, so arbitrary raw queue messages must be treated as trusted input.Suggested action:
yii\queue\serializers\JsonSerializeror a custom serializer for queues that receive jobs from non-PHP, third-party, or otherwise less trusted producers.This is intended as public hardening/documentation work, not as a report of a default remotely exploitable issue.