CVE-2025-48734
Description
Improper Access Control vulnerability in Apache Commons.A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enums class loader via the declaredClass property available on all Java enum objects. Accessing the enums declaredClass allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the declaredClass property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the users guide and the unit tests.This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Risk Information
Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.186
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0 | Windows |
| Vulnerabilities CVE-2025-48734 are fixed in Apache-commons-beanutils 1.11.0 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.60 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.61 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.62 | Windows |
| Multiple vulnerabilities are affected in Oracle Communications Order and Service Management 7.4.0 | Windows |
| Multiple vulnerabilities are affected in Oracle Communications Order and Service Management 7.4.1 | Windows |
| Multiple vulnerabilities are affected in Oracle Communications Order and Service Management 7.5.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 12.0 | Windows |
| Vulnerabilities CVE-2025-48734 are fixed in Apache - commons-beanutils2 2.0.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 24.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.104 | Windows |
| Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.1.11 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.0.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.5.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.2.0.5 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.2.1.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.2.7 | Windows |
| Vulnerabilities CVE-2025-26791,CVE-2025-48734 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 21.12.21.5 | Windows |
| Vulnerabilities CVE-2025-26791,CVE-2025-27363,CVE-2025-48734,CVE-2025-48795 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 22.12.20.0 | Windows |
| Vulnerabilities CVE-2025-26791,CVE-2025-48734,CVE-2025-48795 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 23.12.17.0 | Windows |
| Vulnerabilities CVE-2025-48734 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 24.12.6.0 | Windows |
| SUSE-SU-2025:01815-1(Web and Scripting Module 15 SP6) apache-commons-beanutils-1.11.0-150200.3.9.1.noarch.rpm | Linux |
| apache-commons-beanutils Security Update (ALAS-2025-999) apache-commons-beanutils-javadoc-1.11.0-10.amzn2023.0.1.noarch.rpm | Linux |
| apache-commons-beanutils Security Update (ALAS-2025-999) apache-commons-beanutils-1.11.0-10.amzn2023.0.1.noarch.rpm | Linux |
| apache-commons-beanutils Security Update (ALAS-2025-2899) apache-commons-beanutils-javadoc-1.8.3-15.amzn2.0.1.noarch.rpm | Linux |
| apache-commons-beanutils Security Update (ALAS-2025-2899) apache-commons-beanutils-1.8.3-15.amzn2.0.1.noarch.rpm | Linux |
| javapackages-bootstrap Security Update (ALAS-2025-1027) javapackages-bootstrap-1.5.0^20220105.git9f283b7-3.amzn2023.0.6.noarch.rpm | Linux |
| Vulnerabilities CVE-2025-48734 are fixed in Apache-commons-beanutils for Linux 1.11.0 | Linux |
| apache-commons-beanutils Security Update (ALAS2-2025-2899) apache-commons-beanutils-1.8.3-15.amzn2.0.1.noarch.rpm | Linux |
| apache-commons-beanutils Security Update (ALAS2-2025-2899) apache-commons-beanutils-javadoc-1.8.3-15.amzn2.0.1.noarch.rpm | Linux |
| javapackages-bootstrap Security Update (ALAS2023-2025-1027) javapackages-bootstrap-1.5.0^20220105.git9f283b7-3.amzn2023.0.6.noarch.rpm | Linux |
| apache-commons-beanutils Security Update (ALAS2023-2025-999) apache-commons-beanutils-1.11.0-10.amzn2023.0.1.noarch.rpm | Linux |
| apache-commons-beanutils Security Update (ALAS2023-2025-999) apache-commons-beanutils-javadoc-1.11.0-10.amzn2023.0.1.noarch.rpm | Linux |
| Important: javapackages-tools:201801 security update ALSA-2025:9318 sisu-plexus-0.3.3-7.module_el8.10.0+4020+7deec6e4.noarch.rpm | Linux |
| Important: javapackages-tools:201801 security update ALSA-2025:9318 sisu-inject-0.3.3-7.module_el8.10.0+4020+7deec6e4.noarch.rpm | Linux |
| SUSE-SU-2025:01815-1(Web and Scripting Module 15 SP7) apache-commons-beanutils-1.11.0-150200.3.9.1.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 velocity-1.7-24.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 jline-2.14.6-2.module+el8.3.0+241+f23502a8.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 jboss-interceptors-1.2-api-1.0.0-8.module+el8.3.0+133+b8b54b58.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 javassist-javadoc-3.18.1-8.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 javassist-3.18.1-8.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 jansi-native-1.7-7.module+el8.3.0+133+b8b54b58.x86_64.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 jakarta-commons-httpclient-3.1-28.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 hawtjni-runtime-1.16-2.module+el8.3.0+133+b8b54b58.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 guava20-20.0-8.module+el8.3.0+133+b8b54b58.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 apache-commons-net-3.6-3.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 apache-commons-logging-1.2-13.module+el8.3.0+133+b8b54b58.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 apache-commons-lang-2.6-21.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 apache-commons-collections-3.2.2-10.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 xerces-j2-2.11.0-34.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 xml-commons-resolver-1.2-26.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| javapackages-tools:201801 security update (RLSA-2025:9318) RLSA-2025:9318 xalan-j2-2.7.1-38.module+el8.10.0+1763+c7c02164.noarch.rpm | Linux |
| Vulnerabilities CVE-2025-48734 are fixed in Apache - commons-beanutils2 for Linux 2.0.0 | Linux |
| CVE-2025-48734 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234