commons-beanutils: Improper Access Control in Apache Commons BeanUtils allowing unauthorized enum property access (CVE-2025-48734) #shorts
Summary
Welcome to our security podcast. Today we cover CVE-2025-48734, a critical improper access control vulnerability in Apache Commons BeanUtils. Attackers can exploit this flaw to load arbitrary classes and execute code remotely.
Product details
The issue affects Apache Commons BeanUtils versions 1.x prior to 1.11.0 and 2.x prior to 2.0.0-M2. BeanUtils is a popular Java library for working with properties on JavaBeans, used widely in enterprise applications and frameworks.
Vulnerability type summary
CVE-2025-48734 is classified as CWE-284, Improper Access Control. It allows unauthorized access to internal classloader functionality by abusing enum property access in the library’s PropertyUtilsBean.
Details of the vulnerability
In BeanUtils versions before the fix, passing uncontrolled property paths to PropertyUtilsBean.getProperty() or getNestedProperty() allows an attacker to reference the “declaredClass” property on any Java enum. By retrieving the enum’s declaredClass, the attacker gains access to the ClassLoader and can load or execute arbitrary code. Although a protective BeanIntrospector was introduced in version 1.9.2, it wasn’t enabled by default until releases 1.11.0 and 2.0.0-M2. Starting in those versions, the declaredClass property is suppressed unless explicitly reenabled.
Conclusion
To mitigate CVE-2025-48734, upgrade commons-beanutils to 1.11.0 or commons-beanutils2 to 2.0.0-M2. Distributions like Fedora 41 and 42 have already patched this issue. Review your application’s dependencies, apply updates, and avoid passing untrusted property paths directly into BeanUtils methods.
Watch the full video on YouTube: CVE-2025-48734
Remediation and exploitation details
This chain involves the following actors
- Remote Attacker: Crafts and submits malicious property paths to gain unauthorized access
- Application Developer: Builds and maintains the application that uses BeanUtils
- Application Administrator: Manages library versions and configures security settings
This following systems are involved
- Web Application (Exposes an endpoint that uses BeanUtils to resolve property paths on server-side objects): Victim system that forwards external input into BeanUtils
- Apache Commons BeanUtils (Performs Java bean introspection and property access at runtime): Library containing the improper access control vulnerability
Attack entry point
- Property Path Parameter: An HTTP query or form field whose value is passed directly into BeanUtils.getProperty() or getNestedProperty()
Remediation actions
Exploitation actions
Reconnaissance of exposed property names
- Inspect response pages or API schemas for an enum field named 'status'
Append '.declaredClass.classLoader' to the known enum field
- status.declaredClass.classLoader
Uncontrolled invocation of getProperty() returns the ClassLoader object
- GET /api/getProperty?path=status.declaredClass.classLoader
Call loadClass on the obtained ClassLoader instance
- classLoader.loadClass('com.evil.Payload')
Invoke newInstance() or similar factory method on the payload class
- Payload.class.newInstance()
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9
- [2025-05-28] Critical vulnerability found in Apache Commons BeanUtils affecting getProperty function, allowing privilege escalation.
- [2025-06-22] Fedora 42 addresses an access control vulnerability in Apache Commons BeanUtils with CVE-2025-48734.
- [2025-06-22] Fedora 41 addresses an important access control vulnerability in apache-commons-beanutils, resolving CVE-2025-48734.