CVE-2025-48734: CWE-284 Improper Access Control in Apache Software Foundation Apache Commons BeanUtils 1.x
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
AI Analysis
Technical Summary
Apache Commons BeanUtils versions 1.x prior to 1.11.0 and 2.x prior to 2.0.0-M2 contain an improper access control vulnerability (CWE-284) related to accessing the 'declaredClass' property of Java enum objects. This property exposes the enum's class loader, which attackers can leverage to execute arbitrary code remotely if untrusted property paths are passed to PropertyUtilsBean.getProperty() or getNestedProperty(). The vulnerability is mitigated starting with versions 1.11.0 and 2.0.0-M2 by enabling a special BeanIntrospector that blocks access to the 'declaredClass' property by default. The fix is available and upgrading to these versions is recommended.
Potential Impact
Successful exploitation allows remote attackers to access the class loader of Java enum objects through the 'declaredClass' property, leading to arbitrary code execution. The vulnerability affects confidentiality, integrity, and availability, as indicated by the CVSS score of 8.8 (high severity). This can result in full system compromise if exploited.
Mitigation Recommendations
A fix is available in Apache Commons BeanUtils versions 1.11.0 and 2.0.0-M2, which enable a BeanIntrospector to suppress access to the 'declaredClass' property by default. Users should upgrade to these versions to remediate the vulnerability. If upgrading is not immediately possible, ensure that untrusted input is not passed directly to PropertyUtilsBean.getProperty() or getNestedProperty() methods. Patch status is confirmed fixed in these versions.
CVE-2025-48734: CWE-284 Improper Access Control in Apache Software Foundation Apache Commons BeanUtils 1.x
Description
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache Commons BeanUtils versions 1.x prior to 1.11.0 and 2.x prior to 2.0.0-M2 contain an improper access control vulnerability (CWE-284) related to accessing the 'declaredClass' property of Java enum objects. This property exposes the enum's class loader, which attackers can leverage to execute arbitrary code remotely if untrusted property paths are passed to PropertyUtilsBean.getProperty() or getNestedProperty(). The vulnerability is mitigated starting with versions 1.11.0 and 2.0.0-M2 by enabling a special BeanIntrospector that blocks access to the 'declaredClass' property by default. The fix is available and upgrading to these versions is recommended.
Potential Impact
Successful exploitation allows remote attackers to access the class loader of Java enum objects through the 'declaredClass' property, leading to arbitrary code execution. The vulnerability affects confidentiality, integrity, and availability, as indicated by the CVSS score of 8.8 (high severity). This can result in full system compromise if exploited.
Mitigation Recommendations
A fix is available in Apache Commons BeanUtils versions 1.11.0 and 2.0.0-M2, which enable a BeanIntrospector to suppress access to the 'declaredClass' property by default. Users should upgrade to these versions to remediate the vulnerability. If upgrading is not immediately possible, ensure that untrusted input is not passed directly to PropertyUtilsBean.getProperty() or getNestedProperty() methods. Patch status is confirmed fixed in these versions.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- apache
- Date Reserved
- 2025-05-23T12:30:32.006Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68371302182aa0cae24e8dee
Added to database: 5/28/2025, 1:43:30 PM
Last enriched: 4/30/2026, 2:44:29 AM
Last updated: 5/10/2026, 4:37:18 AM
Views: 182
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.