Vulnerability Database
299,030
Total vulnerabilities in the database
CVE-2025-57738
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
| Software | From | Fixed in |
|---|---|---|
org.apache.syncope.core / syncope-core-spring
|
- | 3.0.14 |
|
org.apache.syncope.core / syncope-core-spring
|
4.0.0-M0 | 4.0.2 |
| apache / syncope | 2.1.0 | 3.0.14 |
| apache / syncope | 4.0.0 | 4.0.2 |
- http://www.openwall.com/lists/oss-security/2025/10/20/1
- https://github.com/apache/syncope/commit/88c2b5b0be9e2ed66007d672e786165bc266e717
- https://github.com/apache/syncope/commit/8b08c4d5785599a0e38830dcff89738b93f02a16
- https://issues.apache.org/jira/browse/SYNCOPE-1907
- https://lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6
- https://syncope.apache.org/security#CVE-2025-57738
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime