CVE-2025-48043
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2026-04-06

Assigner: EEF

Description
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/[email protected], before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-48043
EUVD
EUVD-2025-33747
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ash-project ash *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-48043 is an Incorrect Authorization vulnerability in the Ash framework's authorization system. It arises because bypass policies that can never pass at runtime were incorrectly compiled, causing the authorization filters to become overly permissive. Specifically, bypass policies with conditions that are always false were compiled in a way that allowed unauthorized access by effectively negating the condition, making the filter always true. Additionally, runtime policy scenarios that should have been treated as false were instead dropped, further widening access. This flaw allows attackers with low privileges to bypass authentication checks and access data they should not be able to see. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized access to sensitive data during read operations. If your project uses filter-based authorization with bypass policies that have runtime-only conditions which never pass, the filters may become overly permissive, exposing data that should be restricted. Attackers with low privileges can exploit this remotely without user interaction, potentially compromising confidentiality and integrity of your data. The vulnerability does not affect availability but poses a high risk to data security. [2]

Detection Guidance

This vulnerability can be detected by testing filter authorization policies that include bypass blocks with runtime-evaluated conditions that never pass. A practical detection method is to issue a read query expected to return no rows under such conditions and verify if it returns an empty list. If unauthorized data is returned, the system is likely affected. Specific commands depend on the application using the ash framework, but generally, you can run queries against resources protected by bypass policies and check if unauthorized data is accessible. There are no explicit command-line commands provided, but the detection involves verifying that queries under impossible bypass conditions do not return data. [2]

Mitigation Strategies

Immediate mitigation steps include: 1) Avoid using bypass policies with runtime-only decidable conditions that may always be false. 2) Use explicit `authorize_if` or `forbid_if` blocks instead of bypass policies for sensitive operations. 3) Add explicit final `forbid_if always()` guards for sensitive read operations as a fallback to prevent unauthorized access. 4) Replace runtime-unknown checks with strict or compile-time checks or restructure policies to avoid empty satisfiability scenarios. Additionally, upgrading to ash version 3.6.2 or later, where the vulnerability is fixed, is recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-48043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart