VYPR
High severityNVD Advisory· Published Oct 20, 2025· Updated Nov 4, 2025

Apache Syncope: Remote Code Execution by delegated administrators

CVE-2025-57738

Description

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.syncope.core:syncope-core-springMaven
< 3.0.143.0.14
org.apache.syncope.core:syncope-core-springMaven
>= 4.0.0-M0, < 4.0.24.0.2

Affected products

2

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.