CVE-2025-48734: 
Java vulnerability analysis and mitigation

CVE-2025-48734 is an Improper Access Control vulnerability discovered in Apache Commons BeanUtils, disclosed on May 28, 2025. The vulnerability affects Apache Commons BeanUtils versions 1.x before 1.11.0 and 2.x before 2.0.0-M2. A special BeanIntrospector class was added in version 1.9.2 to prevent attackers from accessing the classloader through Java enum objects' declared class property, but this protection was not enabled by default (OSS Security, NVD).

The vulnerability exists in the PropertyUtilsBean component where property paths from external sources passed to the getProperty() method could allow attackers to access an enum's class loader via the 'declaredClass' property available on all Java enum objects. The issue also affects the getNestedProperty() method. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Wiz).

The vulnerability allows remote attackers to access the ClassLoader and potentially execute arbitrary code on affected systems. This could lead to complete system compromise, as attackers could gain unauthorized access to critical data and system resources (Wiz).

Users of commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, and users of org.apache.commons:commons-beanutils2 2.x should upgrade to version 2.0.0-M2. In these versions, a special BeanIntrospector suppresses the 'declaredClass' property by default, though this can be disabled to regain the old behavior as detailed in section 2.5 of the user's guide (OSS Security).