CVE-2025-48044
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2026-04-06

Assigner: EEF

Description
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/[email protected] before pkg:hex/[email protected], from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2025-10-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-48044
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ash-project ash 3.6.3
ash-project ash 3.7.0
ash-project ash 3.7.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability is related to incorrect authorization logic in the Ash package versions from 3.6.3 up to 3.7.0. Detection involves verifying if your system is running a vulnerable version of the Ash package and testing authorization behavior for bypass policies. Since the issue is in the policy evaluation logic, you can detect it by running authorization tests that attempt to perform actions that should be denied (e.g., create actions by non-admin users) and checking if they are incorrectly authorized. There are no specific network detection commands provided. To check the installed version of Ash in your Elixir project, you can run: `mix deps | grep ash` or check your `mix.lock` file. To test authorization, you would need to run application-specific tests or scripts that exercise policy checks, especially focusing on bypass policies. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the Ash package to version 3.7.1 or later, where the authorization bypass bug has been fixed. This update corrects the policy evaluation logic to properly check full authorization expressions instead of bypass conditions alone. Until you can upgrade, review and restrict access to resources protected by bypass policies, and consider adding additional authorization checks outside of Ash's policy mechanism to prevent unauthorized access. [2]

Executive Summary

This vulnerability is an incorrect authorization (authentication bypass) issue in the Ash package versions 3.6.3 up to 3.7.0. It occurs because the policy evaluation logic incorrectly uses a bypass condition expression instead of the full authorization expression when deciding access. This flaw allows an attacker to gain unauthorized access to resources protected by bypass policies if the bypass condition is true but the bypass authorization fails and no other policies apply. Essentially, the system mistakenly authorizes access when it should deny it. [2]

Impact Analysis

This vulnerability can allow unauthorized users to bypass authentication and gain access to protected resources or perform actions they should not be allowed to, such as creating data or accessing sensitive information. This can lead to data breaches, unauthorized modifications, and compromise of system integrity and confidentiality. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-48044. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart