CVE-2025-48042
BaseFortify
Publication date: 2025-09-07
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ash-project | ash | 3.5.38 |
| ash-project | ash | 3.5.39 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48042 is an Incorrect Authorization vulnerability in the ash Erlang package affecting bulk create, update, and destroy actions. The issue occurs because before_transaction hooks are executed before authorization checks during bulk operations. This means a user with low privileges can trigger potentially sensitive or resource-intensive operations in these hooks even if they are not authorized to perform the overall action. The vulnerability arises when bulk actions use a before_transaction hook without a corresponding after_transaction hook, allowing unauthorized execution of code before the system denies the request. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low privileges to execute arbitrary logic in before_transaction hooks during bulk actions, even if they are not authorized to perform those actions. This can lead to unauthorized side effects or resource consumption, potentially impacting system integrity and availability. Although no confidential information is disclosed, the attacker can cause unauthorized changes or operations to run, which may disrupt normal system behavior or cause unintended consequences. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing the usage of bulk action calls (create, update, destroy) in the ash framework, specifically checking if any before_transaction hooks are executed without corresponding after_transaction hooks and if authorization checks occur before these hooks. Since the issue involves authorization bypass in bulk actions, detection involves auditing code for bulk actions that use before_transaction hooks without proper authorization enforcement. There are no specific network detection commands provided. However, developers can test by attempting bulk actions with low-privilege users and verifying if before_transaction hooks execute despite authorization failures, for example by adding hooks that raise exceptions if run improperly. No direct network or system commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the ash package to version 3.5.39 or later, where the vulnerability is fixed. If updating is not immediately possible, developers should modify their before_transaction hooks to include logic that prevents their execution before authorization is confirmed. This means adding explicit authorization checks within before_transaction hooks to avoid premature execution. The patch ensures authorization checks occur before running these hooks in bulk actions, so applying the patch or upgrading is the recommended action. [1, 2]