CVE-2025-48734
Improper Access Control vulnerability in commons-beanutils:commons-beanutils
What is CVE-2025-48734 About?
This vulnerability in Apache Commons BeanUtils allows for improper access control, enabling attackers to access a Java enum's class loader. Successful exploitation can lead to arbitrary code execution by leveraging the 'declaredClass' property of enum objects. Exploitation is moderately complex, requiring an application to directly pass external input as property paths to `getProperty()` or `getNestedProperty()` methods.
Affected Software
- commons-beanutils:commons-beanutils
- >1.0, <1.11.0
- org.apache.commons:commons-beanutils2
- >2.0.0-M1, <2.0.0-M2
Technical Details
The vulnerability stems from an 'Improper Access Control' issue in Apache Commons BeanUtils, specifically concerning the `PropertyUtilsBean.getProperty()` and `PropertyUtilsBean.getNestedProperty()` methods prior to versions 1.11.0 and 2.0.0-M2. When an application directly uses property paths from an external source with these methods, an attacker can supply a specially crafted property path like 'declaredClass'. This property, inherent to all Java enum objects, allows access to the enum's class loader. Once the class loader is accessed, remote attackers can potentially use it to load and execute arbitrary code, bypassing intended access restrictions. A `BeanIntrospector` class was introduced in remediation to suppress access to the 'declaredClass' property by default.
What is the Impact of CVE-2025-48734?
Successful exploitation may allow attackers to execute arbitrary code, compromise the integrity of the application, lead to a complete system compromise, or enable unauthorized data manipulation.
What is the Exploitability of CVE-2025-48734?
Exploitation requires external input to be passed directly to specific methods (`getProperty()` or `getNestedProperty()`) of `PropertyUtilsBean` within the application. There are no explicit authentication or privilege requirements for the injection itself, as it relies on the application's handling of untrusted input. The access is effectively remote, as the attacker provides the malicious input. The complexity lies in identifying an application that constructs property paths directly from untrusted external sources and successfully crafting the input to target the 'declaredClass' property. The risk is high if an application frequently processes external input in this vulnerable manner.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-48734?
About the Fix from Resolved Security
This patch blocks access to the "declaringClass" property of Java enums by suppressing it via a specialized SuppressPropertiesBeanIntrospector, just as is already done for the "class" property. This prevents privileged information such as the class loader from being accessed through nested property queries, thereby fixing CVE-2025-48734, which allowed attackers to potentially escalate privileges or access sensitive internals via crafted property paths.
Available Upgrade Options
- org.apache.commons:commons-beanutils2
- >2.0.0-M1, <2.0.0-M2 → Upgrade to 2.0.0-M2
- commons-beanutils:commons-beanutils
- >1.0, <1.11.0 → Upgrade to 1.11.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9
- https://osv.dev/vulnerability/GHSA-wxr5-93ph-8wr9
- http://www.openwall.com/lists/oss-security/2025/05/28/6
- https://github.com/apache/commons-beanutils
- https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9
- http://www.openwall.com/lists/oss-security/2025/05/28/6
- https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9
- https://nvd.nist.gov/vuln/detail/CVE-2025-48734
What are Similar Vulnerabilities to CVE-2025-48734?
Similar Vulnerabilities: CVE-2022-26134 , CVE-2022-42889 , CVE-2020-13936 , CVE-2019-17558 , CVE-2018-11776
