{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-48042", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2025-05-15T08:40:25.455Z", "datePublished": "2025-09-07T16:01:01.470Z", "dateUpdated": "2026-04-06T16:44:06.316Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "ash", "packageURL": "pkg:hex/ash", "product": "ash", "programFiles": ["lib/ash/actions/create/bulk.ex", "lib/ash/actions/destroy/bulk.ex", "lib/ash/actions/update/bulk.ex"], "programRoutines": [{"name": "'Elixir.Ash.Actions.Create.Bulk':run/5"}, {"name": "'Elixir.Ash.Actions.Destroy.Bulk':run/6"}, {"name": "'Elixir.Ash.Actions.Update.Bulk':run/6"}], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "versions": [{"lessThan": "3.5.39", "status": "affected", "version": "0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "ash-project/ash", "packageURL": "pkg:github/ash-project/ash", "product": "ash", "programFiles": ["lib/ash/actions/create/bulk.ex", "lib/ash/actions/destroy/bulk.ex", "lib/ash/actions/update/bulk.ex"], "programRoutines": [{"name": "'Elixir.Ash.Actions.Create.Bulk':run/5"}, {"name": "'Elixir.Ash.Actions.Destroy.Bulk':run/6"}, {"name": "'Elixir.Ash.Actions.Update.Bulk':run/6"}], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "versions": [{"lessThan": "5d1b6a5d00771fd468a509778637527b5218be9a", "status": "affected", "version": "0", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.5.39", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Zach Daniel"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels.<p> This vulnerability is associated with program files <tt>lib/ash/actions/create/bulk.ex</tt>, <tt>lib/ash/actions/destroy/bulk.ex</tt>, <tt>lib/ash/actions/update/bulk.ex</tt> and program routines <tt>'Elixir.Ash.Actions.Create.Bulk':run/5</tt>, <tt>'Elixir.Ash.Actions.Destroy.Bulk':run/6</tt>, <tt>'Elixir.Ash.Actions.Update.Bulk':run/6</tt>.</p><p>This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.</p>"}], "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6.\n\nThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:06.316Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2025-48042.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48042"}, {"tags": ["patch"], "url": "https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a"}], "source": {"discovery": "EXTERNAL"}, "title": "Before action hooks may execute in certain scenarios despite a request being forbidden", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-08T18:54:54.599381Z", "id": "CVE-2025-48042", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-08T18:55:11.399Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48042", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-08T18:54:54.599381Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-08T18:55:06.932Z"}}], "cna": {"title": "Before action hooks may execute in certain scenarios despite a request being forbidden", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "remediation developer", "value": "Zach Daniel"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "product": "ash", "versions": [{"status": "affected", "version": "0", "lessThan": "3.5.39", "versionType": "semver"}], "packageURL": "pkg:hex/ash", "packageName": "ash", "programFiles": ["lib/ash/actions/create/bulk.ex", "lib/ash/actions/destroy/bulk.ex", "lib/ash/actions/update/bulk.ex"], "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Ash.Actions.Create.Bulk':run/5"}, {"name": "'Elixir.Ash.Actions.Destroy.Bulk':run/6"}, {"name": "'Elixir.Ash.Actions.Update.Bulk':run/6"}]}, {"cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "product": "ash", "versions": [{"status": "affected", "version": "0", "lessThan": "5d1b6a5d00771fd468a509778637527b5218be9a", "versionType": "git"}], "packageURL": "pkg:github/ash-project/ash", "packageName": "ash-project/ash", "programFiles": ["lib/ash/actions/create/bulk.ex", "lib/ash/actions/destroy/bulk.ex", "lib/ash/actions/update/bulk.ex"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Ash.Actions.Create.Bulk':run/5"}, {"name": "'Elixir.Ash.Actions.Destroy.Bulk':run/6"}, {"name": "'Elixir.Ash.Actions.Update.Bulk':run/6"}]}], "references": [{"url": "https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2025-48042.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48042", "tags": ["related"]}, {"url": "https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6.\n\nThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels.<p> This vulnerability is associated with program files <tt>lib/ash/actions/create/bulk.ex</tt>, <tt>lib/ash/actions/destroy/bulk.ex</tt>, <tt>lib/ash/actions/update/bulk.ex</tt> and program routines <tt>'Elixir.Ash.Actions.Create.Bulk':run/5</tt>, <tt>'Elixir.Ash.Actions.Destroy.Bulk':run/6</tt>, <tt>'Elixir.Ash.Actions.Update.Bulk':run/6</tt>.</p><p>This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.5.39"}], "operator": "AND"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:06.316Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48042", "state": "PUBLISHED", "dateUpdated": "2026-04-06T16:44:06.316Z", "dateReserved": "2025-05-15T08:40:25.455Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2025-09-07T16:01:01.470Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6.\n\nThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a."}], "id": "CVE-2025-48042", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2025-09-07T16:15:51.240", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2025-48042.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48042"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T00:23:36.958808+00:00", "value": {"mitigation_remediation": ["Upgrade ash to version 3.5.39 or later to receive the authorization fix.", "Apply the patch from commit 5d1b6a5d00771fd468a509778637527b5218be9a that restores the proper permission check in the bulk action modules.", "Ensure that all bulk\u2011action endpoints enforce the correct authorization policy and review access logs for unauthorized invocations."], "summary": {"action": "Apply Patch", "impact": "Authorization Bypass on bulk actions"}, "threat_synthesis": {"affected_systems": "ash-project's ash library is impacted. All releases prior to version 3.5.39, and any builds before the commit 5d1b6a5d00771fd468a509778637527b5218be9a, contain the flaw. This includes every package hosted on hex for those versions. The flaw resides in the files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, and lib/ash/actions/update/bulk.ex.", "description_and_impact": "An incorrect authorization flaw in the ash framework allows certain action hooks to run even when the request is marked as forbidden. The vulnerability affects the bulk create, destroy, and update actions, enabling an attacker to execute unintended operations on collections of resources. This leads to a loss of integrity, as unauthorized bulk changes can be made without proper permission checks, consistent with CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate-to-high severity, while the EPSS score of less than 1% suggests a low likelihood of public exploitation. The vulnerability is not listed in CISA KEV. According to the description, an attacker can trigger forbidden action hooks to perform bulk operations, but the CVE does not specify the exact prerequisites. It is inferred that some level of authentication or privilege may be required, though this inference is not explicitly stated. The attack appears to involve sending requests to an ash-based service, indicating a likely network-based vector, although this inference is not directly supported by the CVE data."}}}}, "created": "2026-04-28T00:30:15.460756+00:00", "updated": "2026-04-28T00:30:15.460768+00:00", "vendors": []}