CVE-2025-48734

Name of the Vulnerable Software and Affected Versions Apache Commons BeanUtils versions 1.x before 1.11.0 Apache Commons BeanUtils versions 2.x before 2.0.0-M2

Description The issue is related to improper access control in Apache Commons BeanUtils, where an attacker can access the enum's class loader via the declaredClass property available on all Java enum objects. This allows remote attackers to access the ClassLoader and execute arbitrary code. The vulnerability exists when accessing enum properties in an uncontrolled way, specifically through the getProperty() method of PropertyUtilsBean or PropertyUtilsBean.getNestedProperty(). A special BeanIntrospector class was added to suppress the declaredClass property, which is enabled by default in versions 1.11.0 and 2.0.0-M2.

Recommendations For Apache Commons BeanUtils versions 1.x before 1.11.0, upgrade to version 1.11.0 to fix the issue. For Apache Commons BeanUtils versions 2.x before 2.0.0-M2, upgrade to version 2.0.0-M2 to fix the issue. As a temporary workaround, consider disabling the declaredClass property access until a patch is available. Restrict access to the getProperty() method of PropertyUtilsBean and PropertyUtilsBean.getNestedProperty() to minimize the risk of exploitation.