CVE-2025-6384

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution).

This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Published: Jun 19, 2025
Updated: Jun 29, 2025
CVE: CVE-2025-6384
GHSA: GHSA-5644-3vgq-2ph5
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-913

Affected Software
References

Software	From	Fixed in
org.craftercms / crafter-studio	4.0.0	4.3.0

https://docs.craftercms.org/current/security/advisory.html#cv-2025061901
https://github.com/craftercms/studio/commit/471bbad07cf1f3b420529a020c1409ad57d48a4e

Vulnerability Database

289,571

CVE-2025-6384