CVE-2025-48044
Authorization bypass when bypass policy condition evaluates to true
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
34th
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/[email protected] before pkg:hex/[email protected], from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
| CWE | CWE-863 |
| Vendor | ash-project |
| Product | ash |
| Published | Oct 17, 2025 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for ash-project ash
Be the first to know when new unknown vulnerabilities affecting ash-project ash are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
ash-project / ash
3.6.3 < 3.7.1
ash-project / ash
79749c2685ea031ebb2de8cf60cc5edced6a8dd0 < 8b83efa225f657bfc3656ad8ee8485f9b2de923d
References
github.com: https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752 cna.erlef.org: https://cna.erlef.org/cves/CVE-2025-48044.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2025-48044 github.com: https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d
Credits
π Jechol Lee Jechol Lee Jonatan MΓ€nnchen Zach Daniel