CVE-2025-48734: 
Java vulnerability analysis and mitigation

Improper Access Control vulnerability (CVE-2025-48734) affects Apache Commons BeanUtils versions 1.x before 1.11.0 and 2.x before 2.0.0-M2. The vulnerability was discovered and disclosed on May 28, 2025, by Raj and Muthukumar Marikani. The issue stems from a BeanIntrospector class introduced in version 1.9.2 that was meant to prevent attackers from accessing the classloader through Java enum objects' declared class property, but this protection was not enabled by default (OSS Security).

The vulnerability exists in the PropertyUtilsBean component (and consequently BeanUtilsBean) where property paths from external sources passed to the getProperty() method could allow attackers to access an enum's class loader via the "declaredClass" property available on all Java enum objects. The issue also affects the getNestedProperty() method. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk (NVD).

The vulnerability allows remote attackers to access the ClassLoader and potentially execute arbitrary code on affected systems. This could lead to complete system compromise, as attackers could gain unauthorized access to critical data and system resources (OSS Security).

Users of commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, and users of org.apache.commons:commons-beanutils2 2.x should upgrade to version 2.0.0-M2. In these versions, a special BeanIntrospector suppresses the "declaredClass" property by default, though this can be disabled to regain the old behavior as detailed in section 2.5 of the user's guide (OSS Security).