Description
Improper Access Control vulnerability in Apache Commons.



A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.





Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

1.x are recommended to upgrade to version 1.11.0, which fixes the issue.


Users of the artifact org.apache.commons:commons-beanutils2

2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Published: 2025-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Commons BeanUtils has an improper access control flaw that allows attackers to retrieve the declaredClass property from Java enum objects when they supply unchecked property paths to PropertyUtilsBean. The declaredClass property exposes the enum's class loader, giving an attacker the ability to load and execute arbitrary code, effectively enabling remote code execution. This weakness is represented by CWE‑284 (Improper Access Control).

Affected Systems

Applications using Apache Commons BeanUtils version 1.x before 1.11.0 or 2.x before 2.0.0‑M2 are affected, including many Red‑Hat distributions that incorporate the library in products such as AMQ Streams 2.9, Apache Camel Spring Boot 4, Camel Quarkus 3, Cryostat 4, JBoss Enterprise Application Platform 7, 7.4, 8, and their various Linux releases. Any service that passes untrusted property paths to the getProperty or getNestedProperty methods is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity of the vulnerability, but the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not included in the CISA KEV catalog. Attackers would need to provide crafted property paths that reference the declaredClass property; if successful, they can exploit the class‑loader exposure to run arbitrary code on the application’s host. The vulnerability is exploitable from the application level, and an attacker does not need direct network access to the system itself beyond the vector that allows injection of the property path.

Generated by OpenCVE AI on April 29, 2026 at 10:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Commons BeanUtils to 1.11.0 or newer for 1.x releases, or to 2.0.0‑M2 or newer for 2.x releases
  • Ensure that any user‑supplied property paths are validated or sanitized before being passed to PropertyUtilsBean or its equivalent methods
  • Verify that the BeanIntrospector that suppresses the declaredClass property is enabled (it is the default in the patched versions)
  • If upgrading is not immediately possible, restrict or remove access to the BeanUtilsBean functionality from external components that receive untrusted input

Generated by OpenCVE AI on April 29, 2026 at 10:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4229-1 commons-beanutils security update
EUVD EUVD EUVD-2025-16219 Apache Commons Improper Access Control vulnerability
Github GHSA Github GHSA GHSA-wxr5-93ph-8wr9 Apache Commons Improper Access Control vulnerability
History

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00215}

 epss

{'score': 0.00296}

Tue, 08 Jul 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9

Tue, 01 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat amq Streams
CPEs cpe:/a:redhat:amq_streams:2.9::el9
Vendors & Products Redhat amq Streams

Thu, 26 Jun 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat apache Camel Spring Boot
Redhat rhel Eus
CPEs cpe:/a:redhat:apache_camel_spring_boot:4
cpe:/a:redhat:rhel_eus:9.4::crb
Vendors & Products Redhat apache Camel Spring Boot
Redhat rhel Eus

Mon, 23 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8::crb

Thu, 19 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
References

Tue, 17 Jun 2025 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Tue, 17 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux
Redhat jboss Enterprise Application Platform
CPEs cpe:/a:redhat:enterprise_linux:9::crb
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
Vendors & Products Redhat enterprise Linux
Redhat jboss Enterprise Application Platform

Thu, 12 Jun 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat camel Quarkus
CPEs cpe:/a:redhat:camel_quarkus:3
Vendors & Products Redhat camel Quarkus

Mon, 09 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache commons Beanutils
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:2.0.0:milestone1:*:*:*:*:*:*
Vendors & Products Apache
Apache commons Beanutils

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat cryostat
CPEs cpe:/a:redhat:cryostat:4::el9
Vendors & Products Redhat
Redhat cryostat

Thu, 29 May 2025 02:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 28 May 2025 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 28 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 May 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Title Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
Weaknesses CWE-284
References

Subscriptions

Apache Commons Beanutils
Redhat Amq Streams Apache Camel Spring Boot Camel Quarkus Cryostat Enterprise Linux Jboss Enterprise Application Platform Rhel Eus
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-29T03:55:27.335Z

Reserved: 2025-05-23T12:30:32.006Z

Link: CVE-2025-48734

cve-icon Vulnrichment

Updated: 2025-11-03T20:04:56.273Z

cve-icon NVD

Status : Modified

Published: 2025-05-28T14:15:34.070

Modified: 2025-11-03T20:19:07.317

Link: CVE-2025-48734

cve-icon Redhat

Severity : Important

Publid Date: 2025-05-28T13:32:08Z

Links: CVE-2025-48734 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:15:08Z

Weaknesses