VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-1j1w-c84m-b3h3

Essentials
Severities (30)
References (39)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-1j1w-c84m-b3h3
Aliases	CVE-2025-48734 GHSA-wxr5-93ph-8wr9
Summary	Apache Commons Improper Access Control vulnerability Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-284	Improper Access Control
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48734.json
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00211	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00258	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
epss	0.00258	https://api.first.org/data/v1/epss?cve=CVE-2025-48734
cvssv3.1	8.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-wxr5-93ph-8wr9
cvssv3.1	8.8	https://github.com/apache/commons-beanutils
generic_textual	HIGH	https://github.com/apache/commons-beanutils
cvssv3.1	8.8	https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9
generic_textual	HIGH	https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9
cvssv3.1	8.8	https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9
generic_textual	HIGH	https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9
ssvc	Track	https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9
cvssv3.1	8.8	https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2025-48734
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-48734
cvssv3.1	8.8	http://www.openwall.com/lists/oss-security/2025/05/28/6
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2025/05/28/6

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48734.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-48734
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48734
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/commons-beanutils
		https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9
		https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9
		https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html
		https://nvd.nist.gov/vuln/detail/CVE-2025-48734
		http://www.openwall.com/lists/oss-security/2025/05/28/6
1106746		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106746
2368956		https://bugzilla.redhat.com/show_bug.cgi?id=2368956
GHSA-wxr5-93ph-8wr9		https://github.com/advisories/GHSA-wxr5-93ph-8wr9
GLSA-202601-05		https://security.gentoo.org/glsa/202601-05
RHSA-2025:10452		https://access.redhat.com/errata/RHSA-2025:10452
RHSA-2025:10453		https://access.redhat.com/errata/RHSA-2025:10453
RHSA-2025:10459		https://access.redhat.com/errata/RHSA-2025:10459
RHSA-2025:10814		https://access.redhat.com/errata/RHSA-2025:10814
RHSA-2025:10931		https://access.redhat.com/errata/RHSA-2025:10931
RHSA-2025:13274		https://access.redhat.com/errata/RHSA-2025:13274
RHSA-2025:15810		https://access.redhat.com/errata/RHSA-2025:15810
RHSA-2025:15811		https://access.redhat.com/errata/RHSA-2025:15811
RHSA-2025:15812		https://access.redhat.com/errata/RHSA-2025:15812
RHSA-2025:15813		https://access.redhat.com/errata/RHSA-2025:15813
RHSA-2025:15814		https://access.redhat.com/errata/RHSA-2025:15814
RHSA-2025:15815		https://access.redhat.com/errata/RHSA-2025:15815
RHSA-2025:15816		https://access.redhat.com/errata/RHSA-2025:15816
RHSA-2025:15817		https://access.redhat.com/errata/RHSA-2025:15817
RHSA-2025:16409		https://access.redhat.com/errata/RHSA-2025:16409
RHSA-2025:16668		https://access.redhat.com/errata/RHSA-2025:16668
RHSA-2025:8265		https://access.redhat.com/errata/RHSA-2025:8265
RHSA-2025:8919		https://access.redhat.com/errata/RHSA-2025:8919
RHSA-2025:9114		https://access.redhat.com/errata/RHSA-2025:9114
RHSA-2025:9115		https://access.redhat.com/errata/RHSA-2025:9115
RHSA-2025:9117		https://access.redhat.com/errata/RHSA-2025:9117
RHSA-2025:9166		https://access.redhat.com/errata/RHSA-2025:9166
RHSA-2025:9318		https://access.redhat.com/errata/RHSA-2025:9318
RHSA-2025:9696		https://access.redhat.com/errata/RHSA-2025:9696
RHSA-2025:9697		https://access.redhat.com/errata/RHSA-2025:9697

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48734.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/commons-beanutils

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-24T03:55:16Z/ Found at https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-48734

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2025/05/28/6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.40388
EPSS Score	0.00186
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:57:00.228021+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-wxr5-93ph-8wr9/GHSA-wxr5-93ph-8wr9.json	38.0.0