Bug#1106746: commons-beanutils: CVE-2025-48734

Salvatore Bonaccorso carnil at debian.org
Thu May 29 06:04:54 BST 2025 

Source: commons-beanutils
Version: 1.10.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for commons-beanutils.

CVE-2025-48734[0]:
| Improper Access Control vulnerability in Apache Commons.    A
| special BeanIntrospector class was added in version 1.9.2. This can
| be used to stop attackers from using the declared class property of
| Java enum objects to get access to the classloader. However this
| protection was not enabled by default. PropertyUtilsBean (and
| consequently BeanUtilsBean) now disallows declared class level
| property access by default.      Releases 1.11.0 and 2.0.0-M2
| address a potential security issue when accessing enum properties in
| an uncontrolled way. If an application using Commons BeanUtils
| passes property paths from an external source directly to the
| getProperty() method of PropertyUtilsBean, an attacker can access
| the enum’s class loader via the “declaredClass” property available
| on all Java “enum” objects. Accessing the enum’s “declaredClass”
| allows remote attackers to access the ClassLoader and execute
| arbitrary code. The same issue exists with
| PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0
| and 2.0.0-M2 a special BeanIntrospector suppresses the
| “declaredClass” property. Note that this new BeanIntrospector is
| enabled by default, but you can disable it to regain the old
| behavior; see section 2.5 of the user's guide and the unit tests.
| This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and
| 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-
| beanutils   1.x are recommended to upgrade to version 1.11.0, which
| fixes the issue.   Users of the artifact org.apache.commons:commons-
| beanutils2   2.x are recommended to upgrade to version 2.0.0-M2,
| which fixes the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-48734
    https://www.cve.org/CVERecord?id=CVE-2025-48734
[1] https://www.openwall.com/lists/oss-security/2025/05/28/6
[2] https://dlcdn.apache.org/commons/beanutils/RELEASE-NOTES.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list