CVE-2025-48734
high
CVSS v3
β
CVSS v4 NEW
β
VIR risk
8.0
Description
Important: apache-commons-beanutils security update
Predictions
Exploit likelihood
30%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata β Red Hat Inc. Β· View original β Β· Open-Errata-API
Description commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default Red Hat statement This vulnerability is rated as important severity because a flaw exists in Apache Commons BeanUtils, where PropertyUtilsBean and BeanUtilsBean allow uncontrolled access to the declaredClass property of Java enum objects. Applications thatβ¦
Description
commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
Red Hat statement
This vulnerability is rated as important severity because a flaw exists in Apache Commons BeanUtils, where PropertyUtilsBean and BeanUtilsBean allow uncontrolled access to the declaredClass property of Java enum objects. Applications that pass untrusted property paths directly to getProperty() or getNestedProperty() methods are at risk, as attackers can exploit this behavior to retrieve the ClassLoader instance and execute arbitrary code in the context of the affected application. This issue leads to compromise of confidentiality, integrity, and availability.
CVSS v3: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Cryostat 4 on RHEL 9 | cryostat/cryostat-agent-init-rhel9:0.5.1-1 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-db-rhel9:4.0.1-4 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-grafana-dashboard-rhel9:4.0.1-3 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-openshift-console-plugin-rhel9:4.0.1-2 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-operator-bundle:4.0.1-1 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-ose-oauth-proxy-rhel9:4.0.1-4 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-reports-rhel9:4.0.1-2 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-rhel9:4.0.1-2 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-rhel9-operator:4.0.1-4 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/cryostat-storage-rhel9:4.0.1-4 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| Cryostat 4 on RHEL 9 | cryostat/jfr-datasource-rhel9:4.0.1-2 | RHSA-2025:8265 | 2025-06-05T00:00:00Z |
| OCP-Tools-4.12-RHEL-8 | jenkins-0:2.516.2.1756902453-3.el8 | RHSA-2025:15813 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.12-RHEL-8 | jenkins-2-plugins-0:4.12.1756902839-1.el8 | RHSA-2025:15813 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.13-RHEL-8 | jenkins-0:2.516.2.1756902120-3.el8 | RHSA-2025:15815 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.13-RHEL-8 | jenkins-2-plugins-0:4.13.1756901992-1.el8 | RHSA-2025:15815 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.14-RHEL-8 | jenkins-0:2.516.2.1757087588-3.el8 | RHSA-2025:15816 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.14-RHEL-8 | jenkins-2-plugins-0:4.14.1757087858-1.el8 | RHSA-2025:15816 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.15-RHEL-8 | jenkins-0:2.516.2.1756738247-3.el8 | RHSA-2025:15817 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.15-RHEL-8 | jenkins-2-plugins-0:4.15.1756735456-1.el8 | RHSA-2025:15817 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.16-RHEL-9 | jenkins-0:2.516.2.1756733848-3.el9 | RHSA-2025:15811 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.16-RHEL-9 | jenkins-2-plugins-0:4.16.1756734507-1.el9 | RHSA-2025:15811 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.17-RHEL-9 | jenkins-0:2.516.2.1756732303-3.el9 | RHSA-2025:15814 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.17-RHEL-9 | jenkins-2-plugins-0:4.17.1756732064-1.el9 | RHSA-2025:15814 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.18-RHEL-9 | jenkins-0:2.516.2.1756731431-3.el9 | RHSA-2025:15810 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.18-RHEL-9 | jenkins-2-plugins-0:4.18.1756731677-1.el9 | RHSA-2025:15810 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.19-RHEL-9 | jenkins-0:2.516.2.1756903379-3.el9 | RHSA-2025:15812 | 2025-09-15T00:00:00Z |
| OCP-Tools-4.19-RHEL-9 | jenkins-2-plugins-0:4.19.1756901647-1.el9 | RHSA-2025:15812 | 2025-09-15T00:00:00Z |
| Red Hat AMQ Broker 7.12.5 | commons-beanutils | RHSA-2025:16409 | 2025-09-22T00:00:00Z |
| Red Hat AMQ Broker 7.13.1 | commons-beanutils | RHSA-2025:13274 | 2025-08-06T00:00:00Z |
| Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7 | commons-beanutils | RHSA-2025:9697 | 2025-06-25T00:00:00Z |
| Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 | quarkus-camel-bom | RHSA-2025:8919 | 2025-06-11T00:00:00Z |
| Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 | quarkus-cxf-bom | RHSA-2025:8919 | 2025-06-11T00:00:00Z |
| Red Hat Enterprise Linux 10 | apache-commons-beanutils-0:1.9.4-21.el10_0 | RHSA-2025:9166 | 2025-06-17T00:00:00Z |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | apache-commons-beanutils-0:1.8.3-15.el7_9.1 | RHSA-2025:10814 | 2025-07-10T00:00:00Z |
| Red Hat Enterprise Linux 8 | javapackages-tools:201801-8100020250616113255.88f2bc72 | RHSA-2025:9318 | 2025-06-23T00:00:00Z |
| Red Hat Enterprise Linux 9 | apache-commons-beanutils-0:1.9.4-10.el9_6 | RHSA-2025:9114 | 2025-06-16T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Extended Update Support | apache-commons-beanutils-0:1.9.4-9.el9_4.1 | RHSA-2025:9696 | 2025-06-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7 | commons-beanutils | RHSA-2025:3467 | 2025-04-01T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | eap7-apache-commons-beanutils-0:1.11.0-1.redhat_00001.1.ep7.el7 | RHSA-2025:16668 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | eap7-hibernate-validator-0:5.3.6-1.SP1_redhat_00001.1.ep7.el7 | RHSA-2025:16668 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | eap7-hornetq-0:2.4.11-1.Final_redhat_00001.1.ep7.el7 | RHSA-2025:16668 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | eap7-undertow-0:1.4.18-17.SP15_redhat_00001.1.ep7.el7 | RHSA-2025:16668 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | eap7-wildfly-0:7.1.12-2.GA_redhat_00002.1.ep7.el7 | RHSA-2025:16668 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | eap7-apache-commons-beanutils-0:1.11.0-1.redhat_00001.1.el7eap | RHSA-2025:16667 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | eap7-hornetq-0:2.4.11-1.Final_redhat_00001.1.el7eap | RHSA-2025:16667 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | eap7-jboss-server-migration-0:1.7.2-19.Final_redhat_00020.1.el7eap | RHSA-2025:16667 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | eap7-undertow-0:2.0.41-5.SP6_redhat_00001.1.el7eap | RHSA-2025:16667 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | eap7-wildfly-0:7.3.15-5.GA_redhat_00003.1.el7eap | RHSA-2025:16667 | 2025-09-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4.22 | | RHSA-2025:9117 | 2025-06-16T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4.23 | | RHSA-2025:10931 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-activemq-artemis-0:2.16.0-21.redhat_00055.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-apache-cxf-0:3.5.10-1.redhat_00001.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-artemis-native-1:1.0.2-5.redhat_00004.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-elytron-web-0:1.9.6-1.Final_redhat_00001.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-glassfish-jsf-0:2.3.14-9.SP10_redhat_00001.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-hal-console-0:3.3.27-1.Final_redhat_00001.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-hibernate-validator-0:6.0.23-3.SP2_redhat_00001.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-ironjacamar-0:1.5.21-1.Final_redhat_00001.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-jboss-server-migration-0:1.10.0-42.Final_redhat_00042.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-jbossws-cxf-0:5.4.15-1.Final_redhat_00001.1.el8eap | RHSA-2025:10925 | 2025-07-14T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| A-MQ Clients 2 | commons-beanutils | Will not fix |
| A-MQ Clients 2 | commons-beanutils-core | Will not fix |
| Red Hat AMQ Clients | commons-beanutils | Will not fix |
| Red Hat Ansible Automation Platform 2 | commons-beanutils | Not affected |
| Red Hat build of Apache Camel - HawtIO 4 | commons-beanutils | Not affected |
| Red Hat build of Apicurio Registry 2 | commons-beanutils | Affected |
| Red Hat build of Apicurio Registry 3 | commons-beanutils | Affected |
| Red Hat build of Debezium 2 | commons-beanutils | Will not fix |
| Red Hat build of Debezium 2 | commons-beanutils-core | Will not fix |
| Red Hat build of Debezium 3 | commons-beanutils | Will not fix |
| Red Hat build of Debezium 3 | commons-beanutils-core | Will not fix |
| Red Hat build of OptaPlanner 8 | commons-beanutils | Will not fix |
| Red Hat Data Grid 8 | commons-beanutils | Will not fix |
| Red Hat Data Grid 8 | commons-beanutils-core | Will not fix |
| Red Hat Enterprise Linux 6 | jakarta-commons-beanutils | Out of support scope |
| Red Hat Enterprise Linux 6 | qpid-cpp | Out of support scope |
| Red Hat Enterprise Linux 6 | qpid-qmf | Out of support scope |
| Red Hat Enterprise Linux 6 | sat4j | Out of support scope |
| Red Hat Enterprise Linux 7 | xbean | Out of support scope |
| Red Hat Enterprise Linux 9 | jmc | Not affected |
| Red Hat Enterprise Linux 9 | xbean | Not affected |
| Red Hat Fuse 7 | commons-beanutils | Will not fix |
| Red Hat Fuse 7 | commons-beanutils-core | Will not fix |
| Red Hat Integration Camel K 1 | commons-beanutils | Will not fix |
| Red Hat Integration Camel K 1 | commons-beanutils-core | Will not fix |
| Red Hat JBoss Enterprise Application Platform Expansion Pack | commons-beanutils | Not affected |
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.jboss.eap-jboss-eap-xp | Not affected |
| Red Hat JBoss Web Server 5 | commons-beanutils | Not affected |
| Red Hat JBoss Web Server 6 | commons-beanutils | Not affected |
| Red Hat Process Automation 7 | commons-beanutils | Affected |
| Red Hat Process Automation 7 | commons-beanutils-core | Affected |
| Red Hat Satellite 6 | commons-beanutils | Not affected |
| Red Hat Single Sign-On 7 | commons-beanutils | Not affected |
| streams for Apache Kafka | commons-beanutils | Affected |
| streams for Apache Kafka | commons-beanutils-core | Affected |
Apply commands
Apply RHSA-2025:8265 for Cryostat 4 on RHEL 9
yum update -y cryostat/cryostat-agent-init-rhel9:0
# or:
dnf upgrade -y cryostat/cryostat-agent-init-rhel9:0Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Ansible Automation Platform 2 | Not affected |
| redhat | Red Hat build of Apache Camel - HawtIO 4 | Not affected |
| redhat | Red Hat build of Apicurio Registry 2 | Affected |
| redhat | Red Hat build of Apicurio Registry 3 | Affected |
| redhat | Red Hat Enterprise Linux 9 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Not affected |
| redhat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not affected |
| redhat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not affected |
| redhat | Red Hat JBoss Web Server 5 | Not affected |
| redhat | Red Hat JBoss Web Server 6 | Not affected |
| redhat | Red Hat Process Automation 7 | Affected |
| redhat | Red Hat Process Automation 7 | Affected |
| redhat | Red Hat Satellite 6 | Not affected |
| redhat | Red Hat Single Sign-On 7 | Not affected |
| redhat | streams for Apache Kafka | Affected |
| redhat | streams for Apache Kafka | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | apache-commons-beanutils-1.9.4-10.el9_6.noarch.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.10.1-1.1 |
| sid | Fixed | 1.10.1-1.1 |
| forky | Fixed | 1.10.1-1.1 |
| bullseye | Fixed | 1.9.4-1+deb11u1 |
| bookworm | Fixed | 1.9.4-1+deb12u1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | commons-beanutils:commons-beanutils | >=1.0,<1.11.0 | 1.11.0 |
| Maven | org.apache.commons:commons-beanutils2 | >=2.0.0-M1,<2.0.0-M2 | 2.0.0-M2 |
References
- https://access.redhat.com/errata/RHSA-2025:9114
- https://security-tracker.debian.org/tracker/CVE-2025-48734
- https://nvd.nist.gov/vuln/detail/CVE-2025-48734
- https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9
- https://github.com/apache/commons-beanutils
- https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9
- https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html
- http://www.openwall.com/lists/oss-security/2025/05/28/6
- https://www.suse.com/security/cve/CVE-2025-48734.html
- https://errata.rockylinux.org/RLSA-2025:9114
- https://bugzilla.redhat.com/2368956
- https://errata.almalinux.org/9/ALSA-2025-9114.html
- https://access.redhat.com/errata/RHSA-2025:9318
- https://bugzilla.redhat.com/1767483
- https://errata.almalinux.org/8/ALSA-2025-9318.html
- https://errata.rockylinux.org/RLSA-2025:9318
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.