CVE-2025-48042
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-07

Last updated on: 2026-04-06

Assigner: EEF

Description
Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/[email protected], before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-07
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2025-09-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-48042
EUVD
EUVD-2025-27096
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ash-project ash 3.5.38
ash-project ash 3.5.39
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-48042 is an Incorrect Authorization vulnerability in the ash Erlang package affecting bulk create, update, and destroy actions. The issue occurs because before_transaction hooks are executed before authorization checks during bulk operations. This means a user with low privileges can trigger potentially sensitive or resource-intensive operations in these hooks even if they are not authorized to perform the overall action. The vulnerability arises when bulk actions use a before_transaction hook without a corresponding after_transaction hook, allowing unauthorized execution of code before the system denies the request. [1]

Impact Analysis

This vulnerability can allow an attacker with low privileges to execute arbitrary logic in before_transaction hooks during bulk actions, even if they are not authorized to perform those actions. This can lead to unauthorized side effects or resource consumption, potentially impacting system integrity and availability. Although no confidential information is disclosed, the attacker can cause unauthorized changes or operations to run, which may disrupt normal system behavior or cause unintended consequences. [1]

Detection Guidance

This vulnerability can be detected by reviewing the usage of bulk action calls (create, update, destroy) in the ash framework, specifically checking if any before_transaction hooks are executed without corresponding after_transaction hooks and if authorization checks occur before these hooks. Since the issue involves authorization bypass in bulk actions, detection involves auditing code for bulk actions that use before_transaction hooks without proper authorization enforcement. There are no specific network detection commands provided. However, developers can test by attempting bulk actions with low-privilege users and verifying if before_transaction hooks execute despite authorization failures, for example by adding hooks that raise exceptions if run improperly. No direct network or system commands are provided in the resources. [1, 2]

Mitigation Strategies

The immediate mitigation step is to update the ash package to version 3.5.39 or later, where the vulnerability is fixed. If updating is not immediately possible, developers should modify their before_transaction hooks to include logic that prevents their execution before authorization is confirmed. This means adding explicit authorization checks within before_transaction hooks to avoid premature execution. The patch ensures authorization checks occur before running these hooks in bulk actions, so applying the patch or upgrading is the recommended action. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-48042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart