Apache Syncope: Remote Code Execution by delegated administrators_CVE-2025-57738

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.
Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.
Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.

Basic Information

ID CVE-2025-57738

Source apache

Published Oct 20, 2025 at 14:43

Modified Oct 20, 2025 at 15:15

Affected Product

Vendor Apache Software Foundation

Product Apache Syncope

Version 2.1

Affected Versions Apache Software Foundation Apache Syncope 2.1
Apache Software Foundation Apache Syncope 3.0
Apache Software Foundation Apache Syncope 4.0

CWE Classification

CWE-653

References

lists.apache.org /thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6

{
    "lastseen": "",
    "description": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\nSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\nUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.",
    "published": "2025-10-20T14:43:39.985Z",
    "modified": "2025-10-20T15:15:48.774Z",
    "type": "cve",
    "title": "Apache Syncope: Remote Code Execution by delegated administrators",
    "source": "apache",
    "references": "https://lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6",
    "id": "CVE-2025-57738",
    "bulletinFamily": "",
    "cwe": [
        "CWE-653"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Syncope 2.1\nApache Software Foundation Apache Syncope 3.0\nApache Software Foundation Apache Syncope 4.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Syncope",
    "version": "2.1",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}