A CVE has been identified for Apache Commons Beanutils: https://nvd.nist.gov/vuln/detail/CVE-2025-48734

It affects versions 1.x before 1.11.0. IDM seems to be using version 1.9.4 so we need to upgrade to version 1.11.0 as per organizational requirements.

Identity Manager 14.5.x

An application is vulnerable for this CVE-2025-48734 when the application using BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects.

Remediation is not required as the CVE does not apply to any Identity Manager use case.

Identity Manager does not use these methods, ".getProperty( , ), .getNestedProperty( , )". There are no such use cases in IM. So, IM is NOT impacted.

Even though IM is not impacted by CVE-2025-48734, in the next release (to be determined) we will upgrade this jar to commons-beanutils-1.11.0.jar.