8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48044

GHSA ID

GHSA-pcxq-fjp3-r752

EPSS Score

CWE

CWE-863

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

Erlang

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48044

CVE-2025-48044: Ash has authorization bypass when bypass policy condition evaluates to true

Summary

Bypass policies incorrectly authorize requests when their condition evaluates to true but their authorization checks fail and no other policies apply.

Impact

Resources with bypass policies can be accessed without proper authorization when:

Bypass condition evaluates to true
Bypass authorization checks fail
Other policies exist but their conditions don't match

Details

Bug introduced in PR #2365 (commit 79749c26).

Affected line: lib/ash/policy/policy.ex:69

{%{bypass?: true}, cond_expr, complete_expr}, {one_condition_matches, all_policies_match} ->
  {
    b(cond_expr or one_condition_matches),  # <- Bug: uses condition only
    b(complete_expr or all_policies_match)
  }

The final authorization decision is: one_condition_matches AND all_policies_match

When a bypass condition is true but bypass policies fail, and subsequent policies have non-matching conditions:

one_condition_matches = cond_expr (bypass condition) = true (bug - should check if bypass actually authorizes)
all_policies_match = (complete_expr OR NOT cond_expr) for each policy
- For non-matching policies: (false OR NOT false) = true (policies don't apply)
Final: true AND true = true (incorrectly authorized)

The bypass condition alone satisfies "at least one policy applies" even though the bypass fails to authorize.

Fix

Replace cond_expr with complete_expr on line 69:

{%{bypass?: true}, _cond_expr, complete_expr}, {one_condition_matches, all_policies_match} ->
  {
    b(complete_expr or one_condition_matches),  # <- Fixed
    b(complete_expr or all_policies_match)
  }

Line 52 should also be updated for consistency (though it's only triggered when bypass is the last policy, making it coincidentally safe in practice):

{%{bypass?: true}, _cond_expr, complete_expr}, {one_condition_matches, true} ->
  {
    b(complete_expr or one_condition_matches),  # <- For consistency
    complete_expr
  }

PoC

policies do
  bypass always() do
    authorize_if actor_attribute_equals(:is_admin, true)
  end

  policy action_type(:read) do
    authorize_if always()
  end
end

Non-admin user can perform create actions (should be denied).

Test demonstrating the bug:

test "bypass policy bug" do
  policies = [
    %Ash.Policy.Policy{
      bypass?: true,
      condition: [{Ash.Policy.Check.Static, result: true}],  # condition = true
      policies: [
        %Ash.Policy.Check{
          type: :authorize_if,
          check: {Ash.Policy.Check.Static, result: false},  # policies = false
          check_module: Ash.Policy.Check.Static,
          check_opts: [result: false]
        }
      ]
    },
    %Ash.Policy.Policy{
      bypass?: false,
      condition: [{Ash.Policy.Check.Static, result: false}],
      policies: [
        %Ash.Policy.Check{
          type: :authorize_if,
          check: {Ash.Policy.Check.Static, result: true},
          check_module: Ash.Policy.Check.Static,
          check_opts: [result: true]
        }
      ]
    }
  ]

  expression = Ash.Policy.Policy.expression(policies, %{})
  
  assert expression == false
  # Expected: false (deny)
  # Actual on main: true (incorrectly authorized)
end

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48044

GHSA ID

GHSA-pcxq-fjp3-r752

EPSS Score

CWE

CWE-863

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

Erlang

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ash	erlang	>= 3.6.3, <= 3.7.0	3.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an authorization bypass in the ash Elixir library. The provided patch clearly shows the modification in the lib/ash/policy/policy.ex file within the Ash.Policy.Policy.expression/2 function. The change from b(cond_expr or one_condition_matches) to b(complete_expr or one_condition_matches) fixes the bug where a bypass policy's condition being true would incorrectly satisfy the authorization check, even if the policy's authorization checks failed. The vulnerable function is therefore Ash.Policy.Policy.expression, as it contains the flawed logic that leads to the authorization bypass.

Vulnerable functions

Ash.Policy.Policy.expression

lib/ash/policy/policy.ex

The vulnerability lies in the `expression` function, specifically in how it handles bypass policies. The logic incorrectly used the policy's condition (`cond_expr`) to determine if at least one policy condition matched, rather than the complete expression (`complete_expr`), which also includes the authorization checks. This allowed a request to be authorized if a bypass policy's condition was met, even if the authorization checks within that policy failed.

WAF Protection Rules

WAF Rule

### Summ*ry *yp*ss poli*i*s in*orr**tly *ut*oriz* r*qu*sts w**n t**ir *on*ition *v*lu*t*s to tru* *ut t**ir *ut*oriz*tion ****ks **il *n* no ot**r poli*i*s *pply. ### Imp**t R*sour**s wit* *yp*ss poli*i*s **n ** ****ss** wit*out prop*r *ut*oriz*tion

Reasoning

T** vuln*r**ility is *n *ut*oriz*tion *yp*ss in t** `*s*` *lixir li*r*ry. T** provi*** p*t** *l**rly s*ows t** mo*i*i**tion in t** `li*/*s*/poli*y/poli*y.*x` *il* wit*in t** `*s*.Poli*y.Poli*y.*xpr*ssion/*` *un*tion. T** ***n** *rom `*(*on*_*xpr or o

8.1

Basic Information

Concerned about an active attack path?

CVE-2025-48044: Ash has authorization bypass when bypass policy condition evaluates to true

Summary

Impact

Details

Fix

PoC

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI