Improper Access Control in Apache Commons BeanUtils
CVE-2025-48734

8.8HIGH

What is CVE-2025-48734?

A vulnerability exists in Apache Commons BeanUtils that allows attackers to access the classloader of Java enum objects through improper property access controls. Specifically, if the 'getProperty()' method of PropertyUtilsBean is used with property paths from untrusted sources, attackers can manipulate the 'declaredClass' property of enums to reach the ClassLoader, potentially executing arbitrary code. To block this threat, versions 1.11.0 and 2.0.0-M2 have introduced a BeanIntrospector that by default disallows access to the 'declaredClass' property. Users are urged to upgrade to these versions to secure their applications.

Affected Version(s)

Apache Commons BeanUtils 1.x 1.0 < 1.11.0

Apache Commons BeanUtils 2.x 2.0.0-M1 < 2.0.0-M2

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Raj (mailto:[email protected])
Muthukumar Marikani (mailto:[email protected])
.
CVE-2025-48734 : Improper Access Control in Apache Commons BeanUtils