Improper Access Control in Apache Commons BeanUtils
CVE-2025-48734
Key Information:
- Vendor
Apache
- Vendor
- CVE Published:
- 28 May 2025
What is CVE-2025-48734?
A vulnerability exists in Apache Commons BeanUtils that allows attackers to access the classloader of Java enum objects through improper property access controls. Specifically, if the 'getProperty()' method of PropertyUtilsBean is used with property paths from untrusted sources, attackers can manipulate the 'declaredClass' property of enums to reach the ClassLoader, potentially executing arbitrary code. To block this threat, versions 1.11.0 and 2.0.0-M2 have introduced a BeanIntrospector that by default disallows access to the 'declaredClass' property. Users are urged to upgrade to these versions to secure their applications.
Affected Version(s)
Apache Commons BeanUtils 1.x 1.0 < 1.11.0
Apache Commons BeanUtils 2.x 2.0.0-M1 < 2.0.0-M2
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved