VYPR
Get started
← All advisories
High severityNVD Advisory· Published Jun 19, 2025· Updated Jun 23, 2025

Improper Control of Dynamically-Managed Code Resources in Crafter Studio

CVE-2025-6384

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution).

This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.craftercms:crafter-studioMaven
>= 4.0.0, < 4.3.04.3.0

Affected products

1

Patches

1
471bbad07cf1

Handle Groovy Sandbox Bypass with RCE (#3724)

https://github.com/craftercms/studioPhil NguyenFeb 12, 2025via ghsa
commit
1 file changed · +11 1
  • src/main/resources/crafter/studio/groovy/blacklist+11 1 modified
    @@ -49,6 +49,16 @@ method java.lang.Class newInstance
 
 # Same for local process execution.
 staticMethod java.lang.Runtime getRuntime
+new java.lang.ProcessBuilder java.util.List
+new java.lang.ProcessBuilder java.lang.String[]
+new freemarker.template.utility.Execute
+staticMethod jdk.jshell.JShell create
+staticMethod jdk.jshell.JShell builder
+staticMethod groovy.util.Eval me java.lang.String
+staticMethod groovy.util.Eval me java.lang.String java.lang.Object java.lang.String
+staticMethod groovy.util.Eval x java.lang.Object java.lang.String
+staticMethod groovy.util.Eval xy java.lang.Object java.lang.Object java.lang.String
+staticMethod groovy.util.Eval xyz java.lang.Object java.lang.Object java.lang.Object java.lang.String
 
 # Leak information.
 staticMethod java.lang.System getProperties
@@ -111,4 +121,4 @@ new org.kohsuke.groovy.sandbox.impl.Checker$ThisConstructorWrapper java.lang.Obj
 field org.craftercms.studio.impl.v2.service.scripting.internal.ScriptingServiceInternalImpl sandboxInterceptor
 
 # Spring methods
-method org.springframework.core.env.ConfigurableEnvironment getSystemEnvironment
\ No newline at end of file
+method org.springframework.core.env.ConfigurableEnvironment getSystemEnvironment

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.