CVE-2025-48043: Ash Framework: Filter authorization misapplies impossible bypass/runtime policies
N/A
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ash | erlang | < 3.6.2 | 3.6.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two separate flaws in the Ash framework's filter-based authorization logic, which could lead to unauthorized data access. I analyzed the provided patch commit to pinpoint the exact locations of these flaws.
-
Bypass Policy Flaw in
Ash.Policy.Policy.compile_policy_expression/1: The description highlighted that bypass policies with conditions that can never be true at runtime were being miscompiled. The patch forlib/ash/policy/policy.exconfirms this. The original code used anORcondition that included aNOTof the bypass condition. This meant that if the bypass condition was false, the policy would become permissive. The fix introduces a specific check forbypass?and generates a stricterANDexpression, removing the vulnerability. The vulnerable function is the private functioncompile_policy_expression/1within theAsh.Policy.Policymodule. -
Empty Scenario Flaw in
Ash.Policy.Authorizer: The second issue was that runtime policy scenarios that resulted in no applicable checks were being dropped, again leading to a permissive filter. The patch inlib/ash/policy/authorizer/authorizer.exshows a new check,if scenario == %{}, which explicitly adds afalsecondition to the filter. This ensures that an impossible scenario correctly filters out all results. By inspecting the file structure, I identified that this logic resides within thebuild_filter/2private function, which is responsible for constructing the final query filter.
Both identified functions are directly involved in processing authorization rules and constructing the data access filters. An exploit would involve a read operation on a resource where a misconfigured authorization policy (either a bypass or a runtime check) triggers one of these flawed logic paths, causing the database query to return more data than the user is authorized to see.
Vulnerable functions
Ash.Policy.Policy.compile_policy_expression/1lib/ash/policy/policy.ex
Ash.Policy.Authorizer.build_filter/2lib/ash/policy/authorizer/authorizer.ex