CVE-2025-48734 — Improper Access Control in Software Foundation Apache Commons Beanutils 1.X
Severity
8.8HIGHNVD
EPSS
0.2%
top 59.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 28
Latest updateJan 15
Description
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
4CVEList▶
Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default↗2025-05-28
📋Vendor Advisories
5Oracle▶
Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Apache Commons BeanUtils) — CVE-2025-48734↗2026-01-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Core (Apache Commons BeanUtils) — CVE-2025-48734↗2025-10-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Third Party (Apache Commons BeanUtils) — CVE-2025-48734↗2025-07-15
Red Hat▶
commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default↗2025-05-28
Debian▶
CVE-2025-48734: commons-beanutils - Improper Access Control vulnerability in Apache Commons. A special BeanIntros...↗2025