Improper Access Control in Apache Commons BeanUtils
CVE-2025-48734

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Commons Beanutils 1.x; Apache Commons Beanutils 2.x
Vendor: CVE Published:; 28 May 2025

What is CVE-2025-48734?

A vulnerability exists in Apache Commons BeanUtils that allows attackers to access the classloader of Java enum objects through improper property access controls. Specifically, if the 'getProperty()' method of PropertyUtilsBean is used with property paths from untrusted sources, attackers can manipulate the 'declaredClass' property of enums to reach the ClassLoader, potentially executing arbitrary code. To block this threat, versions 1.11.0 and 2.0.0-M2 have introduced a BeanIntrospector that by default disallows access to the 'declaredClass' property. Users are urged to upgrade to these versions to secure their applications.

Affected Version(s)

Apache Commons BeanUtils 1.x 1.0 < 1.11.0

Apache Commons BeanUtils 2.x 2.0.0-M1 < 2.0.0-M2

References

https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfoh...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2025
Vulnerability Reserved
May 23, 2025

Credit

Raj (mailto:[email protected])

Muthukumar Marikani (mailto:[email protected])