CVE-2025-48044
BaseFortify
Publication date: 2025-10-17
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ash-project | ash | 3.6.3 |
| ash-project | ash | 3.7.0 |
| ash-project | ash | 3.7.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an incorrect authorization (authentication bypass) issue in the Ash package versions 3.6.3 up to 3.7.0. It occurs because the policy evaluation logic incorrectly uses a bypass condition expression instead of the full authorization expression when deciding access. This flaw allows an attacker to gain unauthorized access to resources protected by bypass policies if the bypass condition is true but the bypass authorization fails and no other policies apply. Essentially, the system mistakenly authorizes access when it should deny it. [2]
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to bypass authentication and gain access to protected resources or perform actions they should not be allowed to, such as creating data or accessing sensitive information. This can lead to data breaches, unauthorized modifications, and compromise of system integrity and confidentiality. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to incorrect authorization logic in the Ash package versions from 3.6.3 up to 3.7.0. Detection involves verifying if your system is running a vulnerable version of the Ash package and testing authorization behavior for bypass policies. Since the issue is in the policy evaluation logic, you can detect it by running authorization tests that attempt to perform actions that should be denied (e.g., create actions by non-admin users) and checking if they are incorrectly authorized. There are no specific network detection commands provided. To check the installed version of Ash in your Elixir project, you can run: `mix deps | grep ash` or check your `mix.lock` file. To test authorization, you would need to run application-specific tests or scripts that exercise policy checks, especially focusing on bypass policies. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Ash package to version 3.7.1 or later, where the authorization bypass bug has been fixed. This update corrects the policy evaluation logic to properly check full authorization expressions instead of bypass conditions alone. Until you can upgrade, review and restrict access to resources protected by bypass policies, and consider adding additional authorization checks outside of Ash's policy mechanism to prevent unauthorized access. [2]