GHSA-pcxq-fjp3-r752

Опубликовано: 17 окт. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.6

CVSS3: 8.1

Описание

Ash has authorization bypass when bypass policy condition evaluates to true

Summary

Bypass policies incorrectly authorize requests when their condition evaluates to true but their authorization checks fail and no other policies apply.

Impact

Resources with bypass policies can be accessed without proper authorization when:

Bypass condition evaluates to true
Bypass authorization checks fail
Other policies exist but their conditions don't match

Details

Vulnerable code in: lib/ash/policy/policy.ex:69

{%{bypass?: true}, cond_expr, complete_expr}, {one_condition_matches, all_policies_match} -> { b(cond_expr or one_condition_matches), # <- Bug: uses condition only b(complete_expr or all_policies_match) }

The final authorization decision is: one_condition_matches AND all_policies_match

When a bypass condition is true but bypass policies fail, and subsequent policies have non-matching conditions:

one_condition_matches = cond_expr (bypass condition) = true (bug - should check if bypass actually authorizes)
all_policies_match = (complete_expr OR NOT cond_expr) for each policy
- For non-matching policies: (false OR NOT false) = true (policies don't apply)
Final: true AND true = true (incorrectly authorized)

The bypass condition alone satisfies "at least one policy applies" even though the bypass fails to authorize.

Fix

Replace cond_expr with complete_expr on line 69:

{%{bypass?: true}, _cond_expr, complete_expr}, {one_condition_matches, all_policies_match} -> { b(complete_expr or one_condition_matches), # <- Fixed b(complete_expr or all_policies_match) }

Line 52 should also be updated for consistency (though it's only triggered when bypass is the last policy, making it coincidentally safe in practice):

{%{bypass?: true}, _cond_expr, complete_expr}, {one_condition_matches, true} -> { b(complete_expr or one_condition_matches), # <- For consistency complete_expr }

PoC

policies do bypass always() do authorize_if actor_attribute_equals(:is_admin, true) end policy action_type(:read) do authorize_if always() end end

Non-admin user can perform create actions (should be denied).

Test demonstrating the bug:

test "bypass policy bug" do policies = [ %Ash.Policy.Policy{ bypass?: true, condition: [{Ash.Policy.Check.Static, result: true}], # condition = true policies: [ %Ash.Policy.Check{ type: :authorize_if, check: {Ash.Policy.Check.Static, result: false}, # policies = false check_module: Ash.Policy.Check.Static, check_opts: [result: false] } ] }, %Ash.Policy.Policy{ bypass?: false, condition: [{Ash.Policy.Check.Static, result: false}], policies: [ %Ash.Policy.Check{ type: :authorize_if, check: {Ash.Policy.Check.Static, result: true}, check_module: Ash.Policy.Check.Static, check_opts: [result: true] } ] } ] expression = Ash.Policy.Policy.expression(policies, %{}) assert expression == false # Expected: false (deny) # Actual on main: true (incorrectly authorized) end

Ссылки

Пакеты

Наименование

ash

Затронутые версииВерсия исправления

>= 3.6.3, <= 3.7.0

3.7.1

EPSS

Процентиль: 32%

0.00125

Низкий

8.6 High

CVSS4

8.1 High

CVSS3

CVE ID

CVE-2025-48044

Дефекты

CWE-863

Связанные уязвимости

CVE-2025-48044

nvd

4 месяца назад

Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.

EPSS

Процентиль: 32%

0.00125

Низкий

8.6 High

CVSS4

8.1 High

CVSS3

CVE ID

CVE-2025-48044

Дефекты

CWE-863