CVE-2025-48734

HIGH

Published 2025-05-28T13:32:08.300Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-48734. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

8.8

/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.002

probability

of exploitation in the wild

There is a 0.2% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.404

Higher than 40.4% of all CVEs

Attack Vector Metrics

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Description

Improper Access Control vulnerability in Apache Commons.

A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.

Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

1.x are recommended to upgrade to version 1.11.0, which fixes the issue.

Users of the artifact org.apache.commons:commons-beanutils2

2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Commons BeanUtils 1.x

Affected Versions:

1.0

Apache Software Foundation

Apache Commons BeanUtils 2.x

Affected Versions:

2.0.0-M1

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

Improper Access Control vulnerability in Apache Commons.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

1.x are recommended to upgrade to version 1.11.0, which fixes the issue.

Users of the artifact org.apache.commons:commons-beanutils2

2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Affected Products (ENISA)

apache software foundation

apache commons beanutils 1.x

ENISA Scoring

CVSS Score (3.1)

8.8

/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.060

probability

ENISA References

https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9

Data provided by ENISA EU Vulnerability Database. Last updated: May 28, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Apache Commons Improper Access Control vulnerability

GHSA-wxr5-93ph-8wr9

Advisory Details

Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Affected Packages

Maven commons-beanutils:commons-beanutils

ECOSYSTEM: ≥1.0 <1.11.0

Maven org.apache.commons:commons-beanutils2

ECOSYSTEM: ≥2.0.0-M1 <2.0.0-M2

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-48734

WEB https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9

PACKAGE https://github.com/apache/commons-beanutils

WEB https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9

WEB http://www.openwall.com/lists/oss-security/2025/05/28/6

Advisory provided by GitHub Security Advisory Database. Published: May 28, 2025, Modified: May 28, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post

Reddit • 6 days, 7 hours ago

michaelpaoli

Debian 13.1 (and 12.12) 2025-09-06 "Just" a "minor" point release. But for those that have been waiting to upgrade to Debian 13, perhaps that time now draws nearer? [\[SUA 273-1\] Upcoming Debian 13 Update (13.1)](https://lists.debian.org/debian-stable-announce/2025/09/msg00000.html) [\[SUA 274-1\] Upcoming Debian 12 Update (12.12)](https://lists.debian.org/debian-stable-announce/2025/09/msg00001.html) 13.1: >\[SUA 273-1\] Upcoming Debian 13 Update (13.1) …

Also mentions: CVE-2025-7039 CVE-2025-40927 CVE-2025-9185 CVE-2025-9181 CVE-2025-47806 CVE-2025-47219 CVE-2025-47807 CVE-2025-47808 CVE-2025-53859 CVE-2025-50952 CVE-2025-54798 CVE-2025-54874 CVE-2025-54350 CVE-2025-54349 CVE-2025-27613 CVE-2025-27614 CVE-2025-20260 CVE-2025-23048 CVE-2025-46835 CVE-2025-49812 CVE-2025-49630 CVE-2025-53019 CVE-2025-53101 CVE-2025-53020 CVE-2025-8058 CVE-2024-42516 CVE-2024-43394 CVE-2024-43204 CVE-2024-47252 CVE-2025-6965 CVE-2025-7394 CVE-2025-7783 CVE-2025-53015 CVE-2025-53014 CVE-2025-48385 CVE-2025-48384 CVE-2024-25178 CVE-2024-25177 CVE-2024-25176 CVE-2025-4748 CVE-2024-6174 CVE-2024-11584 CVE-2025-6170 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-5916 CVE-2025-5915 CVE-2025-5914 CVE-2025-5917 CVE-2025-49133 CVE-2025-48387 CVE-2025-27553 CVE-2025-27773 CVE-2025-46712 CVE-2025-46393 CVE-2025-46398 CVE-2025-46397 CVE-2025-47203 CVE-2023-52970 CVE-2023-26819 CVE-2025-40908 CVE-2025-40909 CVE-2025-4373 CVE-2023-53154 CVE-2025-2784 CVE-2025-48060 CVE-2025-47273 CVE-2025-4802 CVE-2025-46399 CVE-2025-46400 CVE-2025-46337 CVE-2025-32050 CVE-2025-46421 CVE-2025-46420 CVE-2025-43965 CVE-2025-43964 CVE-2025-43963 CVE-2025-43962 CVE-2025-43961 CVE-2025-3818 CVE-2025-32906 CVE-2025-32912 CVE-2025-32911 CVE-2025-30722 CVE-2025-30693 CVE-2025-3576 CVE-2025-32910 CVE-2025-32909 CVE-2025-32913 CVE-2025-32053 CVE-2025-32052 CVE-2025-32051 CVE-2024-12905 CVE-2025-30472 CVE-2024-6866 CVE-2024-6844 CVE-2024-6839 CVE-2024-8176 CVE-2023-52971 CVE-2023-52969 CVE-2025-27516 CVE-2025-27221 CVE-2022-37660 CVE-2024-56161 CVE-2025-20128 CVE-2025-23016 CVE-2024-34703 CVE-2024-34702 CVE-2024-45236 CVE-2024-45234 CVE-2024-45235 CVE-2024-45238 CVE-2024-45237 CVE-2024-45239 CVE-2024-0962 CVE-2024-10525 CVE-2024-31031 CVE-2024-38875 CVE-2024-57822 CVE-2024-57823 CVE-2024-3935 CVE-2024-42005 CVE-2024-39330 CVE-2024-39329 CVE-2024-39917 CVE-2024-39312 CVE-2024-39614 CVE-2024-52532 CVE-2024-52530 CVE-2024-52531 CVE-2024-33899 CVE-2024-50602 CVE-2024-50624 CVE-2024-50383 CVE-2024-50612 CVE-2024-5569 CVE-2024-49768 CVE-2024-49769 CVE-2024-1681 CVE-2024-41991 CVE-2024-41990 CVE-2024-41989 CVE-2024-8376 CVE-2023-36053 CVE-2023-31484 CVE-2023-28755 CVE-2023-28366 CVE-2023-42822 CVE-2023-52425 CVE-2023-40184 CVE-2022-33065 CVE-2021-46312 CVE-2021-46310 CVE-2021-25743 CVE-2019-25211

86.0

View Original

References

https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9

Published: 2025-05-28T13:32:08.300Z

Last Modified: 2025-05-29T03:55:47.725Z

Copied to clipboard!

CVE-2025-48734

Expert Analysis

CVSS Score

EPSS Score

Attack Vector Metrics

Impact Metrics

Description

Available Exploits

Related News

Affected Products

Apache Commons BeanUtils 1.x

Affected Versions:

Apache Commons BeanUtils 2.x

Affected Versions:

EU Vulnerability Database

EU Coordination

Exploitation Status

EUVD ID

ENISA Analysis

Affected Products (ENISA)

ENISA Scoring

CVSS Score (3.1)

EPSS Score

ENISA References

GitHub Security Advisories

Apache Commons Improper Access Control vulnerability

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

Social Media Intelligence

References

Request Analysis

What to expect

Request Received!