CVE-2025-48043: CWE-863 Incorrect Authorization in ash-project ash
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
AI Analysis
Technical Summary
This vulnerability (CVE-2025-48043) in ash-project ash involves incorrect authorization checks in the authorizer module (lib/ash/policy/authorizer/authorizer.ex), particularly in the Elixir.Ash.Policy.Authorizer strict_filters/2 function. It allows an attacker with limited privileges to bypass authentication controls, potentially gaining unauthorized access. The affected versions are all releases before 3.6.2. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Potential Impact
Successful exploitation could allow an attacker to bypass authentication mechanisms, leading to unauthorized access to protected resources or functionality within the ash software. This could compromise confidentiality and integrity of data or operations governed by the authorization logic.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Users should monitor the ash-project's official channels for updates and apply any released patches promptly once available.
CVE-2025-48043: CWE-863 Incorrect Authorization in ash-project ash
Description
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2025-48043) in ash-project ash involves incorrect authorization checks in the authorizer module (lib/ash/policy/authorizer/authorizer.ex), particularly in the Elixir.Ash.Policy.Authorizer strict_filters/2 function. It allows an attacker with limited privileges to bypass authentication controls, potentially gaining unauthorized access. The affected versions are all releases before 3.6.2. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Potential Impact
Successful exploitation could allow an attacker to bypass authentication mechanisms, leading to unauthorized access to protected resources or functionality within the ash software. This could compromise confidentiality and integrity of data or operations governed by the authorization logic.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Users should monitor the ash-project's official channels for updates and apply any released patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- EEF
- Date Reserved
- 2025-05-15T08:40:25.455Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68e93535ca439c55520b301d
Added to database: 10/10/2025, 4:32:53 PM
Last enriched: 4/7/2026, 5:45:44 AM
Last updated: 5/10/2026, 3:34:27 PM
Views: 201
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.