{"id":"EEF-CVE-2025-48044","summary":"Authorization bypass when bypass policy condition evaluates to true","details":"Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2.\n\nThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.","aliases":["CVE-2025-48044","GHSA-pcxq-fjp3-r752"],"modified":"2026-04-06T17:01:50.482632Z","published":"2025-10-17T13:52:53.644Z","database_specific":{"capec_ids":["CAPEC-115"],"cwe_ids":["CWE-863"],"cpe_ids":["cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"]},"references":[{"type":"ADVISORY","url":"https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2025-48044.html"},{"type":"FIX","url":"https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d"},{"type":"PACKAGE","url":"https://hex.pm/packages/ash"}],"affected":[{"package":{"name":"ash","ecosystem":"Hex","purl":"pkg:hex/ash"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.6.3"},{"fixed":"3.7.1"}]}],"versions":["3.6.3","3.7.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2025-48044.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ash-project/ash","events":[{"introduced":"79749c2685ea031ebb2de8cf60cc5edced6a8dd0"},{"fixed":"8b83efa225f657bfc3656ad8ee8485f9b2de923d"}]}],"versions":["v3.6.3","v3.6.4","v3.7.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2025-48044.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}],"credits":[{"name":"Jechol Lee","type":"REPORTER"},{"name":"Jechol Lee","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"ANALYST"},{"name":"Zach Daniel","type":"REMEDIATION_REVIEWER"}]}