CVE-2007-6382
Description
A robot in Robocode before 1.5.1 can execute arbitrary Java code by invoking SwingUtilities.invokeLater on the Event Dispatch Thread.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A robot in Robocode before 1.5.1 can execute arbitrary Java code by invoking SwingUtilities.invokeLater on the Event Dispatch Thread.
Vulnerability
Robocode before version 1.5.1 contains a vulnerability in its Event Dispatch Thread (EDT) handling. The buildRobotList() method in the RobotSelectionPanel class originally created a new thread to build the robot list, but a later change switched it to use SwingUtilities.invokeLater() [2]. This change inadvertently allowed a robot (which runs in the same JVM as the Robocode application) to call SwingUtilities.invokeLater with arbitrary code, executing it on the EDT without proper sandbox restrictions [1]. The vulnerability affects all versions prior to 1.5.1.
Exploitation
An attacker needs only the ability to run a custom robot in Robocode. The attacker writes a robot that, during its turn, calls SwingUtilities.invokeLater with a Runnable containing arbitrary Java code. Because Robocode does not sandbox the EDT, the malicious code runs with full privileges of the Robocode application. No additional network position, authentication, or user interaction beyond starting a battle with the rogue robot is required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary Java code with the full privileges of the Robocode application. This leads to complete compromise of the host system, including reading, writing, and deleting files, executing system commands, and potentially installing malware. The compromise occurs at the application's privilege level, which is typically the user running Robocode [1].
Mitigation
The fix was released in Robocode version 1.5.1 [1]. The commit shows the removal of the new Thread() wrapping and direct use of SwingUtilities.invokeLater()—however, the vulnerability stemmed from the ability of robots to call invokeLater, and the fix likely involved restricting that capability or using a different mechanism that does not expose the EDT to untrusted code [2]. Users should upgrade to version 1.5.1 or later. There is no known workaround for unpatched versions [3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.sf.robocode:robocode.coreMaven | < 1.5.1 | 1.5.1 |
Affected products
3Patches
22f2867d24fb2Bugfix: Fixed security flaw with the Event Dispatch Thread, where robots could use the SwingUtilities.invokeLater() for running any code they should like
1 file changed · +14 −2
robocode/robocode/security/RobocodeSecurityManager.java+14 −2 modified@@ -205,9 +205,21 @@ public void checkPermission(Permission perm) { return; } catch (SecurityException e) {} - // Allow the Event Dispatch Thread + // Check if it was one of the tools for Robocode that was invoked by the Event Dispatch Thread if (javax.swing.SwingUtilities.isEventDispatchThread()) { - return; + StackTraceElement[] stackTrace = new Throwable().getStackTrace(); + + for (StackTraceElement element : stackTrace) { + String classname = element.getClassName(); + String method = element.getMethodName(); + + if (classname.equals("codesize.Codesize") && method.equals("processZipFile")) { + return; + } + if (classname.equals("ar.robocode.cachecleaner.CacheCleaner") && method.equals("clean")) { + return; + } + } } // For development purposes, allow read any file if override is set.
8c6f5d77e772Changed buildRobotList() to use SwingUtilities.invokeLater instead of using a thread
1 file changed · +3 −3
robocode/robocode/dialog/RobotSelectionPanel.java+3 −3 modified@@ -462,18 +462,18 @@ public Object getElementAt(int which) { } public void buildRobotList() { - new Thread(new Runnable() { + SwingUtilities.invokeLater(new Runnable() { public void run() { getAvailableRobotsPanel().setRobotList(null); - List<FileSpecification> l = RobotSelectionPanel.this.robotManager.getRobotRepository().getRobotSpecificationsList(onlyShowSource, onlyShowWithPackage, onlyShowRobots, onlyShowDevelopment, onlyShowPackaged, ignoreTeamRobots); + List<FileSpecification> l = robotManager.getRobotRepository().getRobotSpecificationsList(onlyShowSource, onlyShowWithPackage, onlyShowRobots, onlyShowDevelopment, onlyShowPackaged, ignoreTeamRobots); getAvailableRobotsPanel().setRobotList(l); if (preSelectedRobots != null && preSelectedRobots.length() > 0) { setSelectedRobots(getAvailableRobotsPanel().getRobotList(), preSelectedRobots); preSelectedRobots = null; } } - }).start(); + }); } public AvailableRobotsPanel getAvailableRobotsPanel() {
Vulnerability mechanics
Root cause
"The Robocode security manager unconditionally allowed all code running on the Event Dispatch Thread (EDT), enabling a robot to invoke SwingUtilities.invokeLater() to bypass permission checks and execute arbitrary Java code."
Attack vector
An attacker creates a malicious robot that calls SwingUtilities.invokeLater() with a Runnable containing arbitrary Java code. Because the original security manager [patch_id=21989] allowed all permissions when javax.swing.SwingUtilities.isEventDispatchThread() returned true, the malicious code runs with full privileges. The robot can be loaded from a remote source or packaged into a .jar and imported into Robocode. No authentication or special network access is required beyond the ability to deploy a robot.
Affected code
The vulnerability is in robocode/security/RobocodeSecurityManager.java, specifically in the checkPermission() method where the EDT check unconditionally returned [patch_id=21989]. The fix also touches robocode/dialog/RobotSelectionPanel.java to change buildRobotList() from a new thread to SwingUtilities.invokeLater() [patch_id=21990].
What the fix does
The patch [patch_id=21989] replaces the blanket EDT exemption with a stack-walk check that only permits specific known-good callers: codesize.Codesize.processZipFile() and ar.robocode.cachecleaner.CacheCleaner.clean(). All other code running on the EDT now falls through to the normal permission check and is denied. The companion patch [patch_id=21990] moves buildRobotList() from new Thread().start() to SwingUtilities.invokeLater() so that legitimate UI work still runs on the EDT without needing a security exemption.
Preconditions
- inputAttacker must be able to deploy a robot (e.g., via remote robot loading or importing a .jar) into a Robocode instance prior to version 1.5.1.
- inputThe robot must call SwingUtilities.invokeLater() with a Runnable containing arbitrary code.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- secunia.com/advisories/28080nvdPatch
- github.com/advisories/GHSA-xh22-fw58-56ppghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2007-6382ghsaADVISORY
- exchange.xforce.ibmcloud.com/vulnerabilities/39019nvdWEB
- github.com/robo-code/robocode/blob/1abe65b65c34a8eb3d23de8f037dafae3c548fa5/versions.mdghsaWEB
- github.com/robo-code/robocode/commit/2f2867d24fb28a2478983be57556f2355a774a81ghsaWEB
- github.com/robo-code/robocode/commit/8c6f5d77e7723583ba069ea611c33f22c1e9603aghsaWEB
- osvdb.org/40473nvd
- sourceforge.net/project/shownotes.phpnvd
- www.securityfocus.com/bid/26854nvd
News mentions
0No linked articles in our index yet.