{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-48043", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2025-05-15T08:40:25.455Z", "datePublished": "2025-10-10T15:57:29.225Z", "dateUpdated": "2026-04-06T16:44:04.990Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "ash", "packageURL": "pkg:hex/ash", "product": "ash", "programFiles": ["lib/ash/policy/authorizer/authorizer.ex"], "programRoutines": [{"name": "'Elixir.Ash.Policy.Authorizer':strict_filters/2"}], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "versions": [{"lessThan": "3.6.2", "status": "affected", "version": "0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "ash-project/ash", "packageURL": "pkg:github/ash-project/ash", "product": "ash", "programFiles": ["lib/ash/policy/authorizer/authorizer.ex"], "programRoutines": [{"name": "'Elixir.Ash.Policy.Authorizer':strict_filters/2"}], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "versions": [{"lessThan": "66d81300065b970da0d2f4528354835d2418c7ae", "status": "affected", "version": "0", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.2", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "remediation reviewer", "value": "Zach Daniel"}, {"lang": "en", "type": "reporter", "value": "Jonatan M\u00e4nnchen"}, {"lang": "en", "type": "remediation developer", "value": "Jonatan M\u00e4nnchen"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.<p> This vulnerability is associated with program files <tt>lib/ash/policy/authorizer/authorizer.ex</tt> and program routines <tt>'Elixir.Ash.Policy.Authorizer':strict_filters/2</tt>.</p><p>This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.</p>"}], "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2.\n\nThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:04.990Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2025-48043.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48043"}, {"tags": ["patch"], "url": "https://github.com/ash-project/ash/commit/66d81300065b970da0d2f4528354835d2418c7ae"}], "source": {"discovery": "USER"}, "title": "Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-10T16:33:21.270063Z", "id": "CVE-2025-48043", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-10T16:45:42.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-10T16:33:21.270063Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-10T16:45:36.055Z"}}], "cna": {"title": "Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization", "source": {"discovery": "USER"}, "credits": [{"lang": "en", "type": "remediation reviewer", "value": "Zach Daniel"}, {"lang": "en", "type": "reporter", "value": "Jonatan M\u00e4nnchen"}, {"lang": "en", "type": "remediation developer", "value": "Jonatan M\u00e4nnchen"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "product": "ash", "versions": [{"status": "affected", "version": "0", "lessThan": "3.6.2", "versionType": "semver"}], "packageURL": "pkg:hex/ash", "packageName": "ash", "programFiles": ["lib/ash/policy/authorizer/authorizer.ex"], "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Ash.Policy.Authorizer':strict_filters/2"}]}, {"cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "product": "ash", "versions": [{"status": "affected", "version": "0", "lessThan": "66d81300065b970da0d2f4528354835d2418c7ae", "versionType": "git"}], "packageURL": "pkg:github/ash-project/ash", "packageName": "ash-project/ash", "programFiles": ["lib/ash/policy/authorizer/authorizer.ex"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Ash.Policy.Authorizer':strict_filters/2"}]}], "references": [{"url": "https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2025-48043.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48043", "tags": ["related"]}, {"url": "https://github.com/ash-project/ash/commit/66d81300065b970da0d2f4528354835d2418c7ae", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2.\n\nThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.<p> This vulnerability is associated with program files <tt>lib/ash/policy/authorizer/authorizer.ex</tt> and program routines <tt>'Elixir.Ash.Policy.Authorizer':strict_filters/2</tt>.</p><p>This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.6.2"}], "operator": "AND"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:04.990Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48043", "state": "PUBLISHED", "dateUpdated": "2026-04-06T16:44:04.990Z", "dateReserved": "2025-05-15T08:40:25.455Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2025-10-10T15:57:29.225Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2.\n\nThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae."}], "id": "CVE-2025-48043", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2025-10-10T16:15:52.083", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2025-48043.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/ash-project/ash/commit/66d81300065b970da0d2f4528354835d2418c7ae"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48043"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T23:43:39.559747+00:00", "value": {"mitigation_remediation": ["Upgrade Ash to version 3.6.2 or newer, which contains the fixed authorizer logic.", "If a direct upgrade is impossible, apply the patch from commit 66d8130 to restore correct strict_filters behavior.", "Review custom runtime policies and remove any filters that can never be satisfied, ensuring the authorization checks cannot be bypassed."], "summary": {"action": "Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Glance the Ash framework released before v3.6.2, specifically any installation using the package versions before 3.6.2 or the commit 66d81300065b970da0d2f4528354835d2418c7ae. The vendor is ash\u2011project and the product in question is the Ash package distributed via Hex.", "description_and_impact": "The vulnerability arises from a flaw in the authorizer module of the Ash framework, where runtime policies that should never pass are incorrectly applied, allowing an attacker to bypass authentication checks. This flaw precisely maps to CWE\u2011863, highlighting a failure in authorization logic that permits unauthorized users to gain access to protected resources, potentially leading to data exposure or privilege escalation. As the bypass occurs at the authorization layer, the impact is primarily integrity and confidentiality, with the attacker able to act as a legitimate user without proper credentials.", "risk_and_exploitability": "The CVSS score of 8.6 signals a high severity vulnerability, yet the EPSS score indicates a very low probability of exploitation at present (<1%). Because the flaw is a pure authorization bypass, an attacker would need to craft requests that trigger the flawed strict_filters logic or exploit unauthenticated endpoints. The issue is not yet present in the CISA KEV catalog, so no known exploit code has been reported publicly. The likely attack vector is inferred to be through exposed API endpoints or custom policy definitions that include impossible filter conditions, enabling the attacker to bypass authentication without additional privileges."}}}}, "created": "2026-04-27T23:45:15.898037+00:00", "updated": "2026-04-27T23:45:15.898054+00:00", "vendors": []}