CVE-2025-48043
HIGH
GHSA-7r7f-9xpj-jmr7
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2.
This issue affects ash: from pkg:hex/ash@0 before pkg:hex/[email protected], before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
AnalysisAI
Authentication bypass in Ash framework (Elixir) allows authenticated users to escalate privileges and access unauthorized data by exploiting incorrect authorization checks in the policy authorizer. Affects all versions before 3.6.2. EPSS data not yet available for this recent CVE. No confirmed active exploitation (CISA KEV status: not listed), though the issue is tagged as Authentication Bypass with a GitHub security advisory indicating vendor awareness and patching.
Technical ContextAI
Ash is an Elixir resource-based framework for building declarative APIs. This vulnerability exists in the policy authorization layer (lib/ash/policy/authorizer/authorizer.ex), specifically in the 'Elixir.Ash.Policy.Authorizer':strict_filters/2 routine. The flaw represents CWE-863 (Incorrect Authorization), where authorization checks fail to properly enforce access controls. The strict_filters function is responsible for enforcing policy-based data filtering, but the implementation error allows authenticated users to bypass intended authorization constraints. This affects the core authorization mechanism that governs what resources and data users can access within Ash-powered applications. The package identifier pkg:hex/ash@0 indicates this is distributed via Hex, the Erlang/Elixir package manager.
Affected ProductsAI
This vulnerability affects the Ash framework for Elixir, specifically all versions from pkg:hex/ash@0 (initial releases) through versions prior to 3.6.2. The vulnerability is present in all 3.x branches before the patched release. Organizations should check their mix.exs or mix.lock files for ash dependency versions. The vendor GitHub repository is github.com/ash-project/ash, with the security advisory documented at https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7. The vulnerability specifically resides in the authorizer.ex module's strict_filters function. Applications built using the Ash framework that rely on its policy-based authorization system are vulnerable if running unpatched versions.
RemediationAI
Immediate upgrade to Ash version 3.6.2 or later is required to remediate this vulnerability. The fix is implemented in commit 66d81300065b970da0d2f4528354835d2418c7ae, which corrects the authorization logic in the policy authorizer's strict_filters routine. Organizations should update their mix.exs dependency to specify {:ash, "~> 3.6.2"} and run mix deps.update ash to pull the patched version. After upgrading, thoroughly test authorization policies to ensure expected access controls are enforced. Review application logs for suspicious access patterns that may indicate prior exploitation, focusing on authenticated users accessing resources outside their normal authorization scope. No workarounds are available; upgrading is the only effective remediation. Consult the official security advisory at https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7 and the Erlang Ecosystem Foundation CVE page at https://cna.erlef.org/cves/CVE-2025-48043.html for additional vendor guidance.
Share
External POC / Exploit Code
Leaving vuln.today