8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48734

GHSA ID

GHSA-wxr5-93ph-8wr9

EPSS Score

0.44169%

CWE

CWE-284

Published

5/28/2025

Updated

5/28/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48734

CVE-2025-48734:
Apache Commons Improper Access Control vulnerability

Improper Access Control vulnerability in Apache Commons.

A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.

Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

1.x are recommended to upgrade to version 1.11.0, which fixes the issue.

Users of the artifact org.apache.commons:commons-beanutils2

2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48734

GHSA ID

GHSA-wxr5-93ph-8wr9

EPSS Score

0.44169%

CWE

CWE-284

Published

5/28/2025

Updated

5/28/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
commons-beanutils:commons-beanutils	maven	>= 1.0, <= 1.10.1	1.11.0
org.apache.commons:commons-beanutils2	maven	>= 2.0.0-M1, < 2.0.0-M2	2.0.0-M2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2025-48734) in Apache Commons BeanUtils allows attackers to access an enum's classloader via the 'declaredClass' property, potentially leading to arbitrary code execution. This occurs when an application passes externally sourced property paths to PropertyUtilsBean.getProperty() or PropertyUtilsBean.getNestedProperty().

The commit bd20740da25b69552ddef8523beec0837297eaf9 addresses this by introducing SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS and enabling it by default in PropertyUtilsBean.resetBeanIntrospectors(). This method configures the introspectors used by PropertyUtilsBean.

The vulnerable functions are org.apache.commons.beanutils2.PropertyUtilsBean.getProperty and org.apache.commons.beanutils2.PropertyUtilsBean.getNestedProperty. Since org.apache.commons.beanutils2.BeanUtilsBean.getProperty uses PropertyUtilsBean for property retrieval, it is also affected.

Prior to the patch, these methods would resolve the declaringClass property on enum objects. An attacker could then chain this with .classLoader (e.g., myEnum.declaringClass.classLoader) to gain access to the classloader. The patch mitigates this by ensuring that declaringClass is suppressed by default during property introspection for enums. The provided test cases in EnumDeclaringClassTest.java confirm this behavior and the effectiveness of the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r ****ss *ontrol vuln*r**ility in *p**** *ommons. * sp**i*l ***nIntrosp**tor *l*ss w*s ***** in v*rsion *.*.*. T*is **n ** us** to stop *tt**k*rs *rom usin* t** ***l*r** *l*ss prop*rty o* J*v* *num o*j**ts to **t ****ss to t** *l*sslo***r.

Reasoning

T** vuln*r**ility (*V*-****-*****) in *p**** *ommons ***nUtils *llows *tt**k*rs to ****ss *n *num's *l*sslo***r vi* t** '***l*r***l*ss' prop*rty, pot*nti*lly l***in* to *r*itr*ry *o** *x**ution. T*is o**urs w**n *n *ppli**tion p*ss*s *xt*rn*lly sour*

8.8

Basic Information

Concerned about an active attack path?

CVE-2025-48734: Apache Commons Improper Access Control vulnerability

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-48734:
Apache Commons Improper Access Control vulnerability

Vulnerability Intelligence
Miggo AI