Incorrect Authorization Affecting ash package, versions <3.5.39


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.29% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-HEX-ASH-12670881
  • published15 Sept 2025
  • disclosed7 Sept 2025
  • creditZach Daniel

Introduced: 7 Sep 2025

CVE-2025-48042  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade ash to version 3.5.39 or higher.

Overview

ash is an A declarative, extensible framework for building Elixir applications.

Affected versions of this package are vulnerable to Incorrect Authorization when running a bulk of action calls with a before_transaction hook and no after_transaction hook. A malicious user could cause a before_transaction to run even though they are not authorized to perform the whole action. The before_action could run a sensitive/expensive operation.

Workarounds

If for whatever reason you cannot update, you can add logic to those before_transaction hooks to prevent them from doing their logic before they should.

References

CVSS Base Scores

version 4.0
version 3.1