CVE-2025-48734 Overview
CVE-2025-48734 is an Improper Access Control vulnerability [CWE-284] in Apache Commons BeanUtils. The flaw allows attackers to access the Java ClassLoader through the declaredClass property exposed on all Java enum objects. Applications that pass externally controlled property paths to PropertyUtilsBean.getProperty() or PropertyUtilsBean.getNestedProperty() enable remote attackers to execute arbitrary code.
The vulnerability affects Apache Commons BeanUtils 1.x before 1.11.0 and 2.x before 2.0.0-M2. Apache addressed the issue by introducing a BeanIntrospector that suppresses the declaredClass property by default.
Critical Impact
Remote attackers with low privileges can reach the JVM ClassLoader through enum property traversal and execute arbitrary code on applications that forward untrusted input to BeanUtils property accessors.
Affected Products
- Apache Commons BeanUtils 1.x prior to 1.11.0 (commons-beanutils:commons-beanutils)
- Apache Commons BeanUtils 2.x prior to 2.0.0-M2 (org.apache.commons:commons-beanutils2)
- Downstream applications and frameworks that pass external property paths to PropertyUtilsBean
Discovery Timeline
- 2025-05-28 - CVE-2025-48734 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-48734
Vulnerability Analysis
Apache Commons BeanUtils provides reflective access to JavaBean properties through PropertyUtilsBean and BeanUtilsBean. When an application forwards user-controlled property paths into getProperty() or getNestedProperty(), the library resolves nested property references using reflection. Every Java enum object exposes a declaredClass property, which returns the underlying Class instance. From that Class, an attacker can navigate to the ClassLoader and ultimately load or invoke arbitrary classes.
Version 1.9.2 introduced a BeanIntrospector capable of suppressing this property, but the protection was not enabled by default. Versions 1.11.0 and 2.0.0-M2 enable the suppressing BeanIntrospector by default through PropertyUtilsBean. Applications that opt out of the new default behavior remain exposed.
Root Cause
The root cause is improper access control over reflective property traversal. BeanUtils permitted resolution of the declaredClass chain on any enum value reachable from an attacker-controlled property path. This exposed the JVM ClassLoader to property navigation, violating the principle that user-supplied property names must not reach sensitive runtime objects.
Attack Vector
The attack vector is network-based against any application that accepts external input as a BeanUtils property path. An attacker submits a crafted nested expression such as one referencing an enum field followed by declaredClass.classLoader and further reflective steps. The resolution chain returns the active ClassLoader, enabling class loading, method invocation, and arbitrary code execution within the JVM process.
No verified public proof-of-concept is referenced in the advisory. For technical details, see the Apache Mailing List Thread and the Openwall OSS-Security Update.
Detection Methods for CVE-2025-48734
Indicators of Compromise
- Application logs containing property path strings that include declaredClass, classLoader, or protectionDomain substrings.
- HTTP request parameters or JSON fields carrying nested dot-notation expressions targeting enum fields.
- Unexpected class loading events or reflection calls originating from threads handling user input.
Detection Strategies
- Inventory all uses of commons-beanutils and commons-beanutils2 across Java applications and identify versions below 1.11.0 and 2.0.0-M2.
- Add static analysis rules that flag calls to PropertyUtilsBean.getProperty() and getNestedProperty() where the property name argument is derived from request data.
- Inspect web application firewall (WAF) and reverse proxy logs for input patterns matching .declaredClass. or .classLoader. traversal.
Monitoring Recommendations
- Enable JVM security auditing for ClassLoader lookups and reflective Class.forName calls inside services that parse user-supplied property paths.
- Alert on dependency-check or Software Composition Analysis (SCA) findings that surface vulnerable BeanUtils artifacts.
- Correlate runtime exceptions from BeanUtils (such as NestedNullException near reflection frames) with inbound request payloads.
How to Mitigate CVE-2025-48734
Immediate Actions Required
- Upgrade commons-beanutils:commons-beanutils to version 1.11.0 or later.
- Upgrade org.apache.commons:commons-beanutils2 to version 2.0.0-M2 or later.
- Audit application code for any configuration that disables the new BeanIntrospector and remove that override.
- Validate and allow-list property path inputs before they reach PropertyUtilsBean.
Patch Information
Apache Commons BeanUtils 1.11.0 and 2.0.0-M2 enable a BeanIntrospector that suppresses the declaredClass property by default in PropertyUtilsBean and BeanUtilsBean. Distribution updates are tracked in the Debian LTS Announce and the Apache Mailing List Thread.
Workarounds
- If upgrading is not immediately possible, register the SuppressPropertiesBeanIntrospector manually on the PropertyUtilsBean instance used by the application.
- Reject any user-supplied property path containing class, declaredClass, or classLoader tokens before invoking BeanUtils.
- Restrict BeanUtils usage to internally constructed property paths and refactor code paths that bind external input directly to property navigation APIs.
# Maven dependency update for the 1.x branch
mvn versions:use-dep-version -Dincludes=commons-beanutils:commons-beanutils -DdepVersion=1.11.0 -DforceVersion=true
# Maven dependency update for the 2.x branch
mvn versions:use-dep-version -Dincludes=org.apache.commons:commons-beanutils2 -DdepVersion=2.0.0-M2 -DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
