Skip to main content
CVE-2025-48044 HIGH GHSA This Week

Authentication bypass in Ash Framework (Elixir) versions 3.6.3 through 3.7.0 allows low-privileged authenticated attackers to bypass authorization policies and gain unauthorized access to high-confidentiality and high-integrity resources. The flaw resides in the policy expression evaluation logic (lib/ash/policy/policy.ex), enabling attackers to circumvent intended access controls. Publicly available exploit code exists (GitHub commit 8b83efa225f657bfc3656ad8ee8485f9b2de923d references the fix), and with CVSS 8.6 (CVSS 4.0) featuring low attack complexity and network attack vector, this presents significant risk to Elixir applications using vulnerable Ash versions. EPSS data not provided; no CISA KEV status confirmed at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy