CVE

CVE-2025-57738

CVE

CVE-2025-57738

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.

Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.

Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.2

3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2

3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

http://www.openwall.com/lists/oss-security/2025/10/20/1, https://lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6

Severity

7.2

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.2

EPSS Probability

0.00094%

EPSS Percentile

0.26899%

Introduced Version

49c2e53ba6baf1423a89b5ab9a24aa665a5780ad

Fix Available

5967b55326c25ea243da45acc2c9733819973c08

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-57738

CVE-2025-57738

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.2

Basic Information

Fix Critical Vulnerabilities Instantly