QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-57738

Back to search

CVE-2025-57738

Published: Oct 20, 2025

Modified: Nov 4, 2025

PUBLISHED

Description

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.

VendorProductVersions

Apache Software Foundation

Apache Syncope

affected
2.1 - <= 2.1.14
affected
3.0 - <= 3.0.13
affected
4.0 - <= 4.0.1

Weaknesses (CWE)

CWE-653

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now