{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-48044", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2025-05-15T08:40:25.455Z", "datePublished": "2025-10-17T13:52:53.644Z", "dateUpdated": "2026-04-16T04:16:08.167Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "ash", "packageURL": "pkg:hex/ash", "product": "ash", "programFiles": ["lib/ash/policy/policy.ex"], "programRoutines": [{"name": "'Elixir.Ash.Policy.Policy':expression/2"}], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "versions": [{"lessThan": "3.7.1", "status": "affected", "version": "3.6.3", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "ash-project/ash", "packageURL": "pkg:github/ash-project/ash", "product": "ash", "programFiles": ["lib/ash/policy/policy.ex"], "programRoutines": [{"name": "'Elixir.Ash.Policy.Policy':expression/2"}], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "versions": [{"lessThan": "8b83efa225f657bfc3656ad8ee8485f9b2de923d", "status": "affected", "version": "79749c2685ea031ebb2de8cf60cc5edced6a8dd0", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.1", "versionStartIncluding": "3.6.3", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "reporter", "value": "Jechol Lee"}, {"lang": "en", "type": "remediation developer", "value": "Jechol Lee"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}, {"lang": "en", "type": "remediation reviewer", "value": "Zach Daniel"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.<p> This vulnerability is associated with program files <tt>lib/ash/policy/policy.ex</tt> and program routines <tt>'Elixir.Ash.Policy.Policy':expression/2</tt>.</p><p>This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.</p>"}], "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2.\n\nThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-16T04:16:08.167Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2025-48044.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48044"}, {"tags": ["patch"], "url": "https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d"}], "source": {"discovery": "USER"}, "title": "Authorization bypass when bypass policy condition evaluates to true", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-20T18:42:50.579615Z", "id": "CVE-2025-48044", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:59:25.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48044", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-20T18:42:50.579615Z"}}}], "references": [{"url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T18:42:41.664Z"}}], "cna": {"title": "Authorization bypass when bypass policy condition evaluates to true", "source": {"discovery": "USER"}, "credits": [{"lang": "en", "type": "reporter", "value": "Jechol Lee"}, {"lang": "en", "type": "remediation developer", "value": "Jechol Lee"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}, {"lang": "en", "type": "remediation reviewer", "value": "Zach Daniel"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "product": "ash", "versions": [{"status": "affected", "version": "3.6.3", "lessThan": "3.7.1", "versionType": "semver"}], "packageURL": "pkg:hex/ash", "packageName": "ash", "programFiles": ["lib/ash/policy/policy.ex"], "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Ash.Policy.Policy':expression/2"}]}, {"cpes": ["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"], "repo": "https://github.com/ash-project/ash", "vendor": "ash-project", "product": "ash", "versions": [{"status": "affected", "version": "79749c2685ea031ebb2de8cf60cc5edced6a8dd0", "lessThan": "8b83efa225f657bfc3656ad8ee8485f9b2de923d", "versionType": "git"}], "packageURL": "pkg:github/ash-project/ash", "packageName": "ash-project/ash", "programFiles": ["lib/ash/policy/policy.ex"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Ash.Policy.Policy':expression/2"}]}], "references": [{"url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2025-48044.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48044", "tags": ["related"]}, {"url": "https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2.\n\nThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.<p> This vulnerability is associated with program files <tt>lib/ash/policy/policy.ex</tt> and program routines <tt>'Elixir.Ash.Policy.Policy':expression/2</tt>.</p><p>This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.7.1", "versionStartIncluding": "3.6.3"}], "operator": "AND"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-16T04:16:08.167Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48044", "state": "PUBLISHED", "dateUpdated": "2026-04-16T04:16:08.167Z", "dateReserved": "2025-05-15T08:40:25.455Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2025-10-17T13:52:53.644Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2.\n\nThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d."}], "id": "CVE-2025-48044", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2025-10-17T14:15:46.403", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2025-48044.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48044"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:18:59.207792+00:00", "value": {"mitigation_remediation": ["Update the ash framework to version 3.7.1 or newer to apply the vendor patch.", "Verify that no bypass policy conditions are enabled in the application configuration and that policy expressions evaluate correctly.", "Re-test access controls to confirm that authentication is enforced after the update."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ash conductor component for all versions of ash from pkg:hex/ash@3.6.3 up to but not including pkg:hex/ash@3.7.1. Earlier releases before commit 8b83efa225f657bfc3656ad8ee8485f9b2de923d are also impacted. The impacted product is the Ash framework maintained by the ash-project; systems running any of these versions should treat the application as vulnerable.", "description_and_impact": "An incorrect authorization logic in ash-project's Ash framework lets a caller authenticate without proper credentials. The flaw resides in the policy evaluation code in lib/ash/policy/policy.ex and the function Elixir.Ash.Policy.Policy.expr/2, causing the system to treat an unauthorized request as authorized when the bypass policy condition evaluates to true. An attacker who can trigger this path could gain access to protected resources or elevate privileges, leading to a full compromise of confidentiality and integrity on the affected servers.", "risk_and_exploitability": "The CVSS score of 8.6 reflects the high impact, yet the EPSS score of < 1% indicates a low current likelihood of exploitation in the wild. The issue is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is an in-application trigger that evaluates a policy condition; once triggered, it permits a bypass of authentication without user interaction, making the vulnerability valuable to attackers."}}}}, "created": "2026-04-20T16:30:06.282519+00:00", "updated": "2026-04-20T16:30:06.284565+00:00", "vendors": []}